UK Privacy and Security Enforcement Tracker

Explore the actions taken by the UK privacy regulator for infringements of privacy laws during 2018

Overview

In our fifth annual UK Privacy and Security Enforcement Tracker, we review the key actions which the Information Commissioner’s Office (ICO), the UK privacy regulator, has taken for infringements of privacy laws during 2018.

In our UK interactive tool, we’ve merged the 2018 data with that captured in 2017, allowing you to explore the combined data or choose a specific year. Use the tool to explore the main reasons why fines have been imposed in the UK; understand the industry sectors most impacted and even take a look at the geographic spread of enforcements.

UK findings

As at 15 May 2019, the ICO’s ‘Action we’ve taken’ website page showed that the regulator took a total of 67 enforcement actions during the 2018 calendar year. These included:

  • 16 Enforcement Notices which required the organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law.
  • 41 Monetary Penalty Notices (MPNs) resulting in organisations paying a fine - the more serious the breach, the higher the fine.
  • 6 Prosecutions against those who committed a criminal offence under the Data Protection Act 1998 (the Act) through the Court system.
  • 4 Undertakings which committed the organisations to a particular course of action in order to improve their compliance.

The fines issued related mainly to activity which took place prior to the GDPR implementation date of 25 May 2018 and none exceeded the upper fine limit of £500,000 possible under the Act. Though the number of enforcement actions in 2018 was 35% lower than in 2017, the cumulative value of fines still grew by £2.5m. The 2018 enforcements also revealed some interesting details:

  • A new infringement of Non-payment of the data protection fee, with the ICO issuing three bulk MPNs to companies in the manufacturing, finance and business industry sectors.
  • Marketing accounted for half of all the ICO’s enforcement actions with 64% due to telephone marketing.
  • A staggering total of 292 million people were impacted by the 67 breaches.

Use our interactive tool below to explore the UK data by breach type or by industry sector, and by year. As well as key statistics relating to the actions taken, you can also click on the reasons behind each enforcement to reveal detailed summaries for each breach. Please note that if there are no entries for your specific data selection, the filters will reset.

Explore the data by industry or by breach
Location of organisations subject to enforcement:
Enforcement
No enforcement
Prosecutions
Prosecutions of those who commit criminal offences under the Act through the Court system
MPNs
Monetary Penalty Notices require organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010
Enforcements
Enforcement Notices require organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law
Undertakings
Undertakings commit an organisation to a particular course of action in order to improve its compliance
Brighter Homes Solutions Ltd
12 May 2017
Monetary Penalty
PECR — Regulation 21
The Commissioner has received 187 complaints via the TPS and directly from individuals who are subscribers to specific telephone lines. The individuals allege they have received unsolicited marketing calls on those lines from Brighter Home Solutions Ltd. Each individual states that they have previously notified Brighter Home Solutions Ltd that such calls should not be made on that line and/or have registered their number with the TPS.
Enforced remedial action required within 35 days:
  1. Neither use, nor instigate the use of a public electronic communications service for the purposes of making unsolicited direct marketing calls where the called line is that of:
    • A subscriber who has previously notified Brighter Home Solutions Ltd that such calls should not be made on that line; and/or
    • A subscriber who has registered their number with the TPS at least 28 days previously and who has not notified Brighter Home Solutions Ltd that they do not object to such calls being made.
Concept Car Credit Limited
12 May 2017
Monetary Penalty
PECR — Regulation 22
Over an 18 month period between 2015 and 2016, the Company used a public telecommunications service for the purposes of instigating the transmission of 336,000 unsolicited communications by means of electronic mail to individual subscribers for direct marketing purposes contrary to Regulation 22 of PECR.
In this case the Commissioner is satisfied that the Company did not have the consent, within the meaning of the regulation 22 (2), of the 336,000 subscribers to whom it sent unsolicited direct marketing text messages.
Enforced remedial action required within 35 days:
  1. Except in the circumstances referred to in paragraph (3) of Regulation 22 of the Regulations, neither transmit, nor instigate the transmission of unsolicited communications for direct marketing purposes by means of electronic mail unless the recipient has previously notified Concept Car Credit Limited that they consent for the time being to such communications being sent by, or at the instigation of Concept Car Credit Limited
Davies Brothers (Wales) Limited
23 January 2017
DPA — 6th Principle
Davies Brothers (Wales) Limited is a “data controller” as defined in section 1 (1) of the Data Protection Act 1998 (“DPA”).
Section 4 (4) of the DPA provides that, subject to Section 27 (1), it is the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.
The Commissioner held that Davies Brothers (Wales) Limited contravened the Sixth Data Protection Principle in that, contrary to Section 7, it has failed to inform the complainant, without undue delay, whether personal data of which this individual was the data subject were being processed by or on behalf of the data controller and, where that was the case, failed, without undue delay, to have communicated to them in an intelligible form information which may constitute personal data.
Enforced remedial action required within 30 days:
  • Inform the complainant whether the personal data processed by the data controller includes personal data of which the complainant is the data subject and supply them with a copy of any personal data so processed in accordance with the requirements of Section 7 of the DPA and the Sixth Data Protection Principle in that respect, subject only to the proper consideration and application of any exemption from, or modification to, Section 7 of the DPA provided for in or by virtue of part IV of the DPA which may apply.
Easyleads Limited
14 September 2017
Monetary Penalty
PECR — Regulations 19 & 24
Between 22 October 2015 and 30 June 2017 Easyleads Limited instigated the transmission of 16,730,340 automated marketing calls to subscribers without prior consent, resulting in 551 complaints to the ICO. Easyleads Limited also contravened Regulation 24 of PECR in that it did not identify the person who was sending or instigating the automated marketing calls or provide the address of the person or a telephone number on which this person can be reached free of charge.
Enforced remedial action required within 35 days:
  1. Neither transmit, nor instigate the transmission of communications comprising recorded matter for direct marketing purposes by means of an automated calling system except:
    1. Where the line called is that of a subscriber who has previously notified Easyleads Limited that for the time being they consent to such communications being sent by, or at the instigation of, Easyleads Limited; and
    2. Where the communication includes the name of Easyleads Limited and either the address of Easyleads Limited or a telephone number on which Easyleads Limited can be reached free of charge.
H.P.A.S. Limited t/a Safestyle UK
31 July 2017
Monetary Penalty
PECR — Regulation 21
The Commissioner received 264 complaints via the TPS and directly from individuals who are subscribers to specific telephone lines. The individuals alleged that they have received unsolicited marketing calls on those lines from HPAS. Each individual stated that they had previously notified HPAS that such calls should not be made on that line and/or have registered their number with the TPS.
Enforced remedial action required within 70 days:
  1. Review all of its telephone marketing data to ensure that it can evidence the consents it relies upon to make marketing calls. Pursuant to the Commissioner’s Direct Marketing Guidance the consent must be knowingly and freely given, clear and specific.
  2. All such data where the evidence of specific consent cannot be verified, shall be screened against the TPS register before being used to make marketing calls
  3. Put in place an effective suppression system to ensure that all requests not to be called again received from subscribers are recorded, actioned and retained in place until such a time as positive specific consent to receiving such calls is obtained
  4. Screen all unsolicited calls against that suppression system and against the TPS register.
Hamilton Digital Solutions Limited
16 November 2017
Monetary Penalty
PECR — Regulation 22
Between 1 April 2016 and 19 September 2016, Hamilton Digital Solutions Limited (HDSL) used a public electronic telecommunications service for the purposes of instigating the transmission of 156,250 unsolicited communications by means of electronic mail to individual subscribers for direct marketing purposes contrary to Regulation 22 of PECR.
Enforced remedial action required within 35 days:
  1. Except in the circumstances referred to in paragraph (3) of Regulation 22 of PECR, neither transmit, nor instigate the transmission of unsolicited communications for direct marketing purposes by electronic mail unless the recipient has previously notified HDSL that they consent for the time being to such communications being sent by, or at the instigation of HDSL.
Laura Anderson Limited t/a Virgo Home Improvements
31 July 2017
Monetary Penalty
PECR — Regulation 21
The Commissioner received 440 complaints via the TPS and directly from individuals directly who are subscribers to specific telephone lines. The individuals alleged that they have received unsolicited marketing calls on those lines from Virgo. Each individual stated that they had previously notified Virgo that such calls should not be made on that line and/or have registered their number with the TPS.
Enforced remedial action required within 35 days:
  1. Neither use, nor instigate the use of a public electronic communications service for the purposes of making unsolicited direct marketing calls where the called line is that of:
    1. A subscriber who has previously notified Virgo that such calls should not be made on that line;
    2. A subscriber who has registered their number with the TPS at least 28 days previously and who has not notified Virgo that they do not object to such calls being made.
The Lead Experts Limited
10 October 2017
Monetary Penalty
PECR — Regulations 19 & 24
Between 4 May 2016 and 5 May 2016 The Lead Experts Limited (TLEL) instigated the transmission of 111,072 automated marketing calls to subscribers without their prior consent. Furthermore, contrary to Regulation 24 of PECR, TLEL did not identify the organisation (person) who was sending or instigating the automated marketing calls or provide the address of the organisation or a telephone number on which this organisation can be reached free of charge.
Enforced remedial action required within 35 days:
  1. Neither transmit, nor instigate the transmission of communications comprising recorded matter for direct marketing purposes by means of an automated calling except:
    1. Where the called line is that of a subscriber who has previously notified TLEL that for the time being they clearly and specifically consent to such communications being sent by, or at the instigation of, TLEL; and
    2. Where the communication includes the name of TLEL and either the address of TLEL or a telephone number on which TLEL can be reached free of charge.
Medway Council
9 June 2017
No Monetary Penalty
DPA — 7th Principle
The Commissioner’s Office carried out a consensual audit of the data controller (Medway Council) in October 2014 which provided ‘limited assurance’. The audit report recommended (among other things) that mandatory data protection training should be given to all staff and that there is regular refresher training which is monitored.
The Commissioner’s office carried out a ‘follow-up’ audit in June 2015. Although mandatory data protection training had been implemented, the Commissioner’s office advised the data controller to continue to roll out the training. The Commissioner’s office carried out a further investigation into the data controller’s compliance with the provisions of the DPA following two security breaches. The data controller has failed to take adequate steps to ensure that mandatory data protection training has been rolled out, as advised.
The Commissioner’s has considered the data controller’s compliance with the provisions of the DPA in light of these matters.
Enforced remedial action required within 6 months:
  1. There is a mandatory data protection training programme for staff and refresher training at least every two years. Delivery of the training should be tailored to reflect the needs of the staff following a training needs analysis; and
  2. Completion of any such training is monitored and properly documented.
Munee Hut LLP
10 March 2017
Monetary Penalty
PECR — Regulation 22
Between 1 May 2015 and 22 March 2016, Munee Hut LLP used a public telecommunications service for the purposes of instigating the transmission of approximately 64,000 unsolicited communications by means of electronic mail to individual subscribers for direct marketing purposes contrary to Regulation 22 of PECR.
Enforced remedial action required within 35 days:
  1. Except in the circumstances referred to in paragraph (3) of Regulation 22 of the Regulations, neither transmit, nor instigate the transmission of unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient has previously notified Munee Hut LLP that they consent for the time being to such communications being sent by, or at the instigation of Munee Hut LLP.
Road Accident Consult Ltd t/a Media Tactics
3 March 2017
Monetary Penalty
PECR — Regulations 19 & 24
Between 13 November 2014 and 9 June 2015 Media Tactics instigated the transmission of 22,065,627 automated marketing calls to subscribers without their prior consent. Media Tactics also contravened Regulation 24 of PECR in that ¡t did not identify the person who was sending or instigating the automated marketing calls or provide the address of the person or a telephone number on which this person can be reached free of charge.
Enforced remedial action required within 35 days:
  1. Neither transmit, nor instigate the transmission of communications comprising recorded matter for direct marketing purposes by means of an automated calling system except:
    1. Where the called line is that of a subscriber who has previously notified Media Tactics that for the time being they consent to such communications being sent by, or at the instigation of, Media Tactics; and
    2. Where the communication includes the name of Media Tactics and either the address of Media Tactics or a telephone number on which Media Tactics can be reached free of charge.
Secretary of State for Justice
21 December 2017
No Monetary Penalty
DPA — 6th Principle
On 28 July 2017, the data controller had a backlog of 919 subject access requests from individuals, some of which dated back to 2012. The data controller's recovery plan involved eliminating the backlog by October 2018 and from 31 January 2018 dealing with any new subject access requests from individuals without undue delay. On 10 November 2017, there were 793 cases over 40 days old.
The data controller failed to inform the individuals, whether their personal data is being processed by or on behalf of the data controller, without undue delay, and failed to communicate in an intelligible form information which may constitute personal data. Further, the data controller’s internal systems, procedures and policies for dealing with subject access requests made under the DPA were unlikely to achieve compliance with the provisions of the DPA.
Enforced remedial action required within 10 months:
  1. Inform the individuals whose access requests are over 40 days olds whether the personal data processed includes personal data of which those individuals (or any of them) are the data subjects and shall supply each of them with a copy of any such personal data so processed in accordance with the requirements of Section 7 of the DPA and the sixth data protection principle in that respect, subject only to the proper consideration and application of any exemption from, or modification to, Section 7 of the DPA provided for in or by virtue of part IV of the DPA which may apply.
Enforced remedial action required within 30 days:
  1. Carry out changes to its internal systems, procedures and policies necessary to ensuring all subject access requests received by the data controller, in respect of the data controller, pursuant to Section 7 of the DPA are identified and complied with in accordance with the seven requirements of Section 7 of the DPA, and the sixth data protection principle in that respect, subject only to:
    1. The proper consideration and application of any exemption from, or modification to, Section 7 of the DPA provided for in or by virtue of part IV of the DPA which may apply; and
    2. The expectation that such requests are expressed with reasonable clarity and are properly addressed.
  2. Continue to use his best endeavours to surpass the milestones outlined above.
  3. Provide the Commissioner with a progress report at the beginning of each month, documenting in detail how the terms of this enforcement notice have been, or are being, implemented.
True Telecom Limited
6 September 2017
Monetary Penalty
PECR — Regulations 21 & 24
The Commissioner received numerous complaints via TPS and directly from individuals who are subscribers to specific telephone lines. The individuals allege that they have received unsolicited marketing calls on those lines from True Telecom. Each individual states they have previously notified True Telecom that such calls should not be made on that line and/or have registered their number with the TPS.
Enforced remedial action required within 35 days:
  1. Neither use, nor instigate the use of a public electronic communications service for the purposes of making unsolicited direct marketing calls where the called line is that of:
    1. A subscriber who has previously notified True Telecom that such calls should not be made on that line;
    2. A subscriber who has registered their number with the TPS at least 28 days previously and who has not notified True Telecom that they do not object to such calls being made.
  2. Neither use, nor instigate the use of a public electronic communications service for the purposes of making calls (whether solicited or unsolicited) for direct marketing purposes except where they;
    1. Do not prevent presentation of the identity of the calling line on the called line; or
    2. Present the identity of a line on which they can be contacted.
  3. In accordance with Regulation 24 of the Regulations, cease using a public communications service for the transmission of a communication to which Regulation 21 of the Regulations applies unless the particulars mentioned in paragraph (2)(a) of Regulation 24 of the Regulations are provided with that communication.
In addition to the above, The Commissioner would note at this point that in the period of May 2017 – July 2017, following the established contravention which forms the basis of this Notice, in excess of 50 further complaints have been logged with the TPS in respect of unsolicited calls made by True Telecom.
Vanquis Bank Limited
4 October 2017
Monetary Penalty
PECR — Regulation 22
Between 9 April 2015 and 16 February 2016, Vanquis Bank Limited (VBL) used a public telecommunications service for the purposes of instigating the transmission of 870,849 unsolicited communications by means of electronic mail (text message) to individual subscribers for direct marketing purposes contrary to Regulation 22 of PECR. This resulted in 131 complaints being made to the 7726 system.
Furthermore, between 1 April 2016 and 1 September 2016, VBL used a public telecommunications service for the purposes of instigating the transmission of 620,000 unsolicited communications by electronic mail (e-mail) to individual subscribers for direct marketing purposes contrary to Regulation 22 of PECR. This resulted in 9 complaints being made to the ICO.
The Commissioner was satisfied that VBL did not have the consent within the meaning of Regulation 22 (2) from the 870,849 subscribers to whom it sent unsolicited direct marketing test messages or the 620,000 subscribers to whom its affiliate had sent unsolicited direct marketing e-mails.
Enforced remedial action required within 35 days:
  1. Except in the circumstances referred to in paragraph (3) of Regulation 22 of PECR, neither transmit, nor instigate the transmission of unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient has previously notified VBL that they clearly and specially consent for the time being to such communications being sent by, or at the instigation of VBL.
Xternal Property Renovations Ltd
28 March 2017
Monetary Penalty
PECR — Regulation 21
The Commissioner has received numerous complaints via the TPS and directly from individuals who are subscribers to specific telephone lines. The individuals allege they have received unsolicited marketing calls on those lines from Xternal Property Renovations Ltd. Each individual states that they have previously notified Xternal Property Renovations Ltd that such calls should not be made on that line and/or have registered their number with the TPS.
Enforced remedial action required within 35 days:
  1. Neither use, nor instigate the use of a public electronic communications service for the purposes of making unsolicited direct marketing calls where the called line is that of:
    1. A subscriber who has previously notified Xternal Property Renovations Ltd that such calls should not be made on that line; and/or
    2. A subscriber who has registered their number with the TPS at least 28 days previously and who has not notified Xternal Property Renovations Ltd that they do not object to such calls being made.
Brioney Woolfe
11 August 2017
A former employee of Colchester Hospital University NHS Foundation Trust, Brioney Woolfe was prosecuted at the Colchester Magistrates’ Court. Woolfe accessed the medical records of several people without a business purpose to do so while employed as a health care assistant by Colchester Hospital University NHS Foundation Trust.
Action:
Woolfe pleaded guilty to two offences under section 55 of the Data Protection Act for accessing the sensitive health records of friends and people she knew and disclosing some of the personal information obtained.
Ms Woolfe was fined £400 for the offence of obtaining personal data and £650 for disclosing it. Ms Woolfe was ordered to pay prosecution costs of £600 and a victim surcharge £65.
Clair Francis
9 November 2017
Clair Francis, who worked as a Coding Officer for Dudley Group NHS Trust, pleaded guilty to one offence of obtaining personal data and one offence of disclosing personal data. She accessed her neighbour and former friend’s medical records and disclosed information about a baby.
Action:
Ms Francis was fined £125 for each offence and ordered to pay costs of £500 and a victim surcharge of £30.
Joseph Walker
8 June 2017
Following a prosecution by the ICO, Joseph Walker pleaded guilty to section 55 Data Protection Act offences before Liverpool Magistrates’ Court. The offence related to making blagging calls to obtain information about policy holders and the road traffic accidents they had been involved in, from insurance companies. At the time of the offences the defendant had worked at a claims management company, UK Claims Organisation Ltd, based in Liverpool, together with co-defendants Lesley Severs and Kayleigh Billington, who were sentenced last year. It was the prosecution case that data originally obtained unlawfully from a car hire company was used by the employees of the claims management company as leads, to make blagging calls to insurance companies. In the calls the defendants used various guises and tried to obtain further information from the insurers, in order to be able to sell cases on to solicitors as personal injury claims.
Action:
Joseph Walker pleaded guilty to 12 offences under section 55 of the Data Protection Act 1998 and 44 like offences were taken into consideration, for which he was fined £2,000, ordered to pay a victim surcharge of £15 and prosecution costs of £1,600.
Linda Reeves
4 September 2017
A former data co-ordinator employed by The University Hospitals of North Midlands NHS Trust has been prosecuted at North Staffordshire Magistrates’ Court. Linda Reeves accessed the sensitive medical records of colleagues as well as people she knew that lived in her locality, without the consent of the data controller. 
Action:
Ms Reeves pleaded guilty to the offence under section 55 of the Data Protection Act and was fined £700, ordered to pay costs of £364.08 and a £70 Victim Surcharge.
Marian Waddell
13 November 2017
Marian Waddell, a former nursing auxiliary was fined for accessing a patient and her neighbour’s medical records without a valid legal reason. She worked at Royal Gwent Hospital in Newport and unlawfully accessed the records of a patient who was also her neighbour.
Action:
She was fined £232 and was ordered to pay £150 costs and a victim surcharge of £30.
Nicola Wren
16 October 2017
A former administrator employed by Kent and Medway NHS and Social Care Partnership Trust has been prosecuted by the ICO at Medway Magistrates’ Court.
Nicola Wren accessed the sensitive medical records of a patient who was known to her 279 times in a three week period, without any business need to do so, which was without the consent of the data controller.
Action:
Ms Wren pleaded guilty to the offence under section 55 of the Data Protection Act and was fined £300, ordered to pay costs of £364.08 and a £30 Victim Surcharge.
Nilesh Morar
21 September 2017
Nilesh Morar has been prosecuted at Nuneaton Magistrates’ Court for the offence of unlawfully obtaining personal data.  The defendant, who at the time worked at Leicester City Council, emailed personal data relating to 349 individuals, which included sensitive personal data of service users of the Adult Social Care Department, to his personal email address without his employer or the data controller’s consent.
Action:
Mr Morar pleaded guilty to the offence under section 55 of the Data Protection Act and was fined £160, ordered to pay £364.08 prosecution costs and a £20 victim surcharge.
Robert Morrisey
9 November 2017
A former employee of a community based counselling charity has been prosecuted by the ICO at Preston Crown Court. Robert Morrisey sent spreadsheets containing the information of vulnerable clients to his personal email address without any business need to do so, which was without the consent of the data controller.
Eleven emails were sent from his work email account on 22 February 2017, which contained the sensitive personal data of 183 people, three of whom were children. The personal data included full names, dates of birth, telephone numbers and medical information. Further investigation showed that he had sent a similar database to his personal account on 14 June 2016.
Action:
Mr Morrisey pleaded guilty to three offences under section 55 of the Data Protection Act and was sentenced to a two year Conditional Discharge, ordered to pay costs of £1,845.25 and a £15 Victim Surcharge.
Sally Anne Day
16 May 2017
A former administration employee of Crickhowell Group Practice, part of the Powys Health Trust Board was prosecuted at Newport Crown Court for repeatedly accessing the sensitive medical records of two patients without the consent of the data controller.
Action:
Ms Sally Anne Day pleaded guilty to the offence under section 55 of the Data Protection Act and was fined £400, ordered to pay costs of £350 and a victim surcharge of £40.
Stuart Franklin
21 July 2017
Stuart Franklin has been prosecuted at Birmingham Magistrates’ Court for the offence of unlawfully disclosing personal data. The defendant, who at the time worked at a Walsall based domestic services company, emailed the CVs of 26 job applicants to a third party company without his employer or the data controller’s consent.
Action:
Mr Franklin pleaded guilty to the offence under section 55 of the Data Protection Act and was fined £573, ordered to pay £364 prosecution costs and a £57 victim surcharge.
True Telecom Limited
15 March 2017
True Telecom Limited has been prosecuted at Medway Magistrates Court for the offence of processing personal data without having an entry in the register maintained by the Information Commissioner.
Action:
The telecommunications company was found guilty of the offence under section 17 of the Data Protection Act 1998, and was fined £400, ordered to pay costs of £593.75 and a victim surcharged of £40.
Cheshire West and Chester Council
10 August 2017
DPA – 7th Principle
In February 2014, Cheshire West and Chester Council agreed to an ICO audit which was undertaken in October 2014, following which a limited assurance rating was achieved. A follow up was undertaken on behalf of the Commissioner in June 2015, to check progress with the agreed recommendations.
As a result of this audit and follow up, a number of concerns relating to staff training were identified. These concerns were compounded by a series of self-reported incidents which the Commissioner was advised of both during the follow up period to the audit and also thereafter. The majority of these incidents concerned disclosure in error cases and almost all staff involved who had not received data protection training. Some of these individuals were also temporary agency workers.
Despite agreed audit recommendations specifically related to training, which included the requirement to train all staff employed and monitor take up of such training, subsequent investigations have identified that these recommendations have not been implemented fully.
Further data breaches reported to the Commissioner subsequent to the audit follow up have involved disclosures which had the potential to cause serious distress for those affected, including: the disclosure of an incorrect mobile phone number to an ex-partner of a data subject; allegations of historic sexual abuse being sent to an incorrect address due to the address and postcode being obtained from a Google Map search. The data handling procedures introduced following previous breaches not being adhered to in some high risk areas as staff had not been made aware of it. Following investigations into those incidents, it was found that some staff members within these services had not received any data protection training at all.
Whilst the data controller has policies in place which highlight the data protection obligations of its employees, the level of overall organisational compliance with mandatory data protection training has fluctuated significantly over the last two years.
The latest organisational data protection training compliance figure for the year ended 2016/2017 was 61% overall, with much lower than expected attainment figures evidenced in some high risk areas such as Children and Family Services and Adult Social Care and Health.
Following consideration of the remedial action that has been taken by the data controller, it is agreed that in consideration of the Commissioner not exercising his powers to serve an Enforcement Notice under section 40 of the Act, the data controller undertakes as follow:
The data controller shall, as from the date of this Undertaking and for so long as similar standards are required by the Act or other successor legislation, ensure that personal data are processed in accordance with the Seventh Data Protection Principle in Part I of Schedule 1 to the Act, and in particular that:
  1. The data controller shall conduct a risk based training needs analysis for all roles within the organisation to ascertain the level of data protection awareness required for the role, and the frequency at which the individual should receive refresher training to ensure they are reminded of their obligations in order to prevent further security incidents. This analysis should also consider whether the training should be tailored for specific roles and should be completed within six months of the date of the undertaking.
  2. The data controller shall deliver mandatory data protection training in relation to both the requirements of the Act and the data controller’s policies and guidance to all employees whose role involves the handling of personal data, as identified in the training needs analysis and regardless of their contractual status. This process should be completed within six months.
  3. The data controller shall ensure that all new members of staff responsible for the handling of personal data are given appropriate data protection training, commensurate with their role upon induction.
  4. The data controller shall ensure that mandatory refresher data protection training is undertaken at the intervals identified and as set out in the training needs analysis; such training to be refreshed annually as a minimum.
  5. The data controller shall ensure that mandatory data protection and refresher training is monitored and enforced.
Cornwall Council
3 February 2017 (follow-up to Undertaking issued 16 September 2016)
DPA – 7th Principle
On 30 January 2017 the Information Commissioner’s Office (ICO) conducted a follow-up assessment of the actions taken by Cornwall Council in relation to the undertaking it signed on 16 September 2016. The objective of the follow-up is to provide the ICO with a level of assurance that the agreed undertaking requirements have been appropriately implemented.
Cornwall Council agreed to the undertaking following the Commissioner’s investigation of eight data breaches that occurred over a 2 year period, some of which involved disclosures made in error, which revealed that some staff members had not received data protection training. The Commissioner’s investigation also found that the general uptake of data protection training across Cornwall Council was unsatisfactory (DPA – 7th Principle).
The review demonstrated that Cornwall Council has taken appropriate steps to address the three requirements of the undertaking:
  1. All current staff members responsible for the handling of personal data should receive appropriate, specific data protection training. This process should be completed within three months.
    • In November 2016 Cornwall Council confirmed within their Uptake of Mandatory Information Governance Training Report that over 83% of Cornwall Council employees had completed their Information Governance training within a two year period. 83% of employees accounted for all of Cornwall Council staff, excluding those who were long term absentees.
  2. Such training should be refreshed at regular intervals, not exceeding two years and its provision monitored and recorded.
    • The ‘Uptake of Mandatory Information Governance Training Report’ states that Cornwall Council monitor compliance with the requirement to complete the Information Governance training at least every two years. Compliance reports are reviewed at the Information Governance steer group and the Corporate Directors’ Team on a monthly basis to identify any employees who are due to complete their training so that follow up action can be taken to ensure compliance with the training requirement.
  3. New staff members responsible for the handling of personal data are given appropriate, specific data protection training upon induction.
    • Cornwall Council provided copies of their corporate induction checklists, New Employee Checklist and Induction Checklist for Managers Who Manage New Staff -Managers’ Induction Checklist for New Staff. The checklists state that it is a mandatory requirement that new employees complete their Information Governance training within their first week of employment.
Dyfed Powys Police
27 September 2017
DPA – 7th Principle
The Information Commissioner (the ‘Commissioner’) was informed of several data protection incidents by Dyfed Powys Police over an 18 month period. The number of incidents reported is of concern especially as they are repeated in nature.
In August 2016, Dyfed Powys Police’s Mental Health Team passed sensitive personal data to an individual’s General Practitioner (GP). The information was sent by open fax message to the GP’s surgery, and whilst it arrived at its intended destination, appropriate consent was not obtained from the data subject. At the time of the incident the officer had not completed any data protection training.
The Commissioner’s enquiries into this incident revealed that as at 17 March 2017, 1,204 officers out of a total of 2,258 had not completed any data protection training and there was no current programme of refresher training in place.
In January 2017, an officer passed personal data relating to a Councillor and a neighbour by email to the clerk of a local council. There was no information sharing agreement in place between the data controller and the council; authorisation from a senior colleague was not sought prior to sending the email; and the officer had received no data protection training.
A third incident investigated by the Commissioner occurred prior to November 2015 but was not brought to the attention of the data controller and subsequently the Commissioner, until March 2017. The incident involved a photograph taken using a mobile telephone. The photograph showed an officer’s working environment, including a computer screen on which data was displayed. The picture was forwarded to a family member. By sending the photograph the officer breached the data controller’s Information security Policy and the College of Policing Code of Ethics. The officer had received no data protection training.
The Commissioner’s investigation into these incidents has determined repeated failures with regard to the training of staff.
The data controller shall, as from the date of this Undertaking and for so long as similar standards are required by the Act or other successor legislation, ensure that personal data are processed in accordance with the Seventh Data Protection Principle in Part I of Schedule 1 to the Act, and in particular that:
  1. A force-wide programme of data protection training adequate to equip officers with the necessary knowledge to comply both with the Act and with the data controller’s policies concerning the processing of personal data be implemented without further delay.
  2. A force-wide programme of refresher training be introduced to ensure ongoing compliance with the Act.
  3. A programme of recording and monitoring of training undertaken be implemented with prompt remedial action to address non-compliance being taken where necessary.
  4. The data controller shall implement such other security measures as are appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.
  5. The data controller shall confirm its plans in writing to the Commissioner to demonstrate its commitment to these steps within one month of the date of agreement to this undertaking.
Kent Police
10 August 2017 (follow-up to Undertaking issued 9 August 2016)
DPA – 1st Principle
On 21 June the Information Commissioner’s Office (ICO) conducted a follow-up assessment of the actions taken by Kent Police in relation to the undertaking it signed on 8 August 2016. The objective of the follow-up is to provide the ICO with a level of assurance that the agreed undertaking requirements have been appropriately implemented.
Kent Police agreed to an undertaking following the Commissioner’s investigation of an incident that involved downloading the entire contents of an individual’s mobile phone, which contained a recording supporting the individual’s abuse allegations, without informing the individual that this processing would take place. There was also no fair processing notice or other written authorisation form to explain to the data subject what she would be consenting to by providing her phone to the data controller (DPA – 1st Principle).
Findings of the ICO in relation to undertakings signed:
  1. Develop written procedures and supporting documentation for the extraction of data from mobile devices which emphasise that explicit, informed consent should be sought from victims and witnesses of crime in the first instance by 31 October 2016.
    • Written procedures have been documented for the extraction of data from mobile devices and they have been communicated to the teams and staff undertaking the work. The intranet was updated 16 October 2016 and further updates were made on 26 April 2017 with links to the process and fair processing form.
  2. Create a fair processing notice for victims and witnesses of crime to read and sign, which clearly explains which personal data will be extracted from their mobile device and how this will be processed, by 31 October 2016.
    • A fair processing form has been documented to include digital disclosures, version controlled and added to the documents repository. There are also links to the document via the intranet (InSite), briefing packs and local team communications. The use of the form, awareness and testing is frequently monitored in the form of on-site tests and audits.
  3. Where technically possible, limit the extraction of data from the mobile devices from victims and witnesses of crime to relevant data sets and delete any irrelevant information once identified as such by the Disclosure Officer. The data controller shall ensure that these processes are contained within in the relevant written procedures by 31 October 2016.
    • Kent police has made significant investment in resources to create dedicated digital hubs; one within each policing division. These environments will be secure with restricted and authorised access, staffed by fully trained operatives working to published policies and procedures which support compliance with all aspects of information and data management. The first phase of recruitment and training will be completed by the end of July 2017 and following a month of mentored operational activity, it is planned the organisation will be in a position to locally deploy staff to the three hub locations from 4th September 2017.
    • Three hubs have been established, two are in the process of being made operational and the third will be operational by November 2017.
    • A full review of staff able to complete digital downloads was conducted and resulted in a significant drop in numbers who are now able to undertake this activity. This is supported by regular audits and quality control checks.
  4. Remain up to date with developments and guidance around the extraction of data from mobile devices and promptly take action to address any recommendations relating to compliance with the Act arising from this.
    • As part of the monthly Force Security and Integrity Committee (FSIC) forum the forensics team will have visibility of updates to legislation and are included in the readiness for GDPR.
    • Work is ongoing to continually review and update policies and embed the guidance and continuously improve data protections standards with a structured audit program.
  5. Implement such other security measures as are appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.
    • The central forensic team have plans to safeguard data beyond the plans for forensic hubs and a collaborative approach facilitated by the Operational and Information security (OIS) Head includes a broad audit program and regular forums to strengthen adherence to the Act.
London Borough of Ealing
2 May 2017 (follow-up to Undertaking issued 15 November 2016)
DPA – 7th Principle
On 19 April 2017 the Information Commissioner’s Office (ICO) conducted a follow-up assessment of the actions taken by the London Borough of Ealing (LBE) in relation to the undertaking it signed on 10 October 2016. The objective of the follow-up is to provide the ICO with a level of assurance that the agreed undertaking requirements have been appropriately implemented.
LBE agreed to the undertaking following the Commissioner’s investigation of an incident involving a social worker, who lost a court bundle containing sensitive personal data relating to 27 data subjects including 14 children, when she put them on top of her car and then drove off. The documents were not recovered (DPA – 7th Principle).
The ICO acknowledge that although the London Borough of Ealing has taken initial steps to address the requirements of the undertaking, significant work is still required before they are fully satisfied. In particular appropriate steps have not been taken to address the following requirements:
  1. The council continue to work toward achieving their stated target for 100% completion of mandatory online data protection refresher training for all permanent, locum and temporary Social Care staff who handle personal data by 3 April 2017. That the same monitoring and recording processes for the completion of this training are applied to locum, temporary and permanent social care staff.
    • LBE confirmed that 74% of social care staff (including permanent, temporary and locum) had completed the eLearning data protection module and 25% staff (without online access) had completed the PDF version between January 2016 and January 2017. Training was either part of induction for new starters or as a refresher course for existing staff. The remaining 1% were on long term absence. LBE reports that it is in the process of putting measures in place to ensure that any new starters since January 2017 complete the data protection module. There are currently no plans to ensure that the refresher training is completed annually.
    • It was difficult to obtain the training completion figures from LBE who confirmed they are derived manually by cross referencing names from the e-learning system and manual records of staff completing the PDF version of the course, with payroll lists of temporary and permanent staff. It is not clear how the ongoing control and monitoring of training will be achieved when managers do not have recurrent reports of training completion rates.
    • The council should implement management, monitoring and recording processes to verify that they have achieved and are maintaining their stated target for 100% completion of annual mandatory data protection refresher training for Social Care, locums, and temporary staff.
  2. The recording and monitoring of initial and refresher data protection training for non-permanent staff employed in all other departments of the council involved in the handling of personal data is performed as (1) above.
    • LBE have not established regular reporting and governance procedures to ensure data protection training compliance rates are maintained on an ongoing basis. Additionally it is unclear how training delivered via the PDF version of the module will be monitored. It is concerning that LBE advised that they may not monitor refresher training prior to the launch of updated training that will be required for GDPR.
    • The council should implement monitoring and recording processes to assure that they continue to achieve their stated objective of 100% completion of annual data protection refresher training for all staff who are involved in the handling of personal data.
  3. The council ensures the use of MetaCompliance is a sufficiently robust mechanism for delivering and measuring refresher Data Protection related training to meet the council's stated objective of an annual requirement.
    • The MetaCompliance review document states “using the Policy Management software we are able to create and control business and IT policies, implement enforced compliance of key messages and monitor acceptance” and that “Metacompliance is a robust mechanism for delivering and measuring refresher DP related training”. It was reported however that the tool is used to manage policy dissemination and it is not used for delivering and measuring the annual requirement to refresh the Data Protection e-learning training module.
    • The council should therefore ensure that either MetaCompliance or another tool is a sufficiently robust mechanism for delivering and measuring refresher data protection related training to meet the council’s stated objective of an annual refresher requirement.
If any further incidents involving the LBE are reported to the ICO, the undertaking and its fulfilment will be taken into consideration as part of its investigation process. Dependent upon the outcome, enforcement action could be considered by the ICO as a result.
NHS Digital (formerly known as HSCIC)
6 January 2017 (follow up to Undertaking issued 19 April 2016)
DPA – 1st Principle
On 16 December 2016 the Information Commissioner’s Office (ICO) conducted a follow-up assessment of the actions taken by NHS Digital (formerly known as HSCIC) in relation to the undertaking it signed on 19 April 2016. The objective of the follow-up is to provide the ICO with a level of assurance that the agreed undertaking requirements have been appropriately implemented.
NHS Digital agreed to the undertaking following the Commissioner’s investigation of the way NHS Digital shared patient data for purposes other than direct care. Specifically, that NHS Digital was not able to collect, record or implement Type 2 objections registered by patients with their GPs, for legal and technical reasons, which resulted in Type 2 objections not being implemented for approximately 700,000 patients. Further, the HSCIC had not taken steps to inform affected patients other than a statement placed on its website (DPA – 1st Principle).
The review demonstrated that NHS Digital has taken appropriate steps and put plans in place to address the requirements of the undertaking and to mitigate the risks highlighted. NHS Digital confirmed that it has taken the following steps:
  1. HSCIC should establish and operate a system to process and uphold Type 2 objections, in accordance with the Direction from the Secretary of State.
    • NHS Digital has established and currently operates a system to process and uphold Type 2 objections. This was done by directing GPs to supply the necessary data via the General Practice Extraction Service or HSCIC Secure Electronic File Transfer system. Internal technological systems have been developed to receive, record and manage these patient objections around a central Patient Objections System. Organisational processes have been developed for NHS Digital staff to be aware of, and correctly use, the Central Patient Objections System where their work makes this necessary. Auditable information is recorded for these processes and the policies are due for regular review. Specific roles, (such as Information Asset Owners,) have been identified as responsible for aspects of the system and such individuals have received appropriate guidance. A steering group and system user group have been established as part of ongoing monitoring to ensure continued compliance.
  2. HSCIC should ensure measures are put in place so that any patients who have previously registered a Type 2 objection, or patients who register a Type 2 objection in future, are provided with clear fair processing information that enables them to understand how the Type 2 objection will be applied and how their data will be used.
    • NHS Digital has updated the fair processing information on its website to describe and explain Type 1 and Type 2 objections to patients. The NHS Choices website has also been updated to include clear information on objections and contains referral links to more information on the NHS Digital website relating to objections. Additionally, awareness about objections was relayed via the external relations manager to selected external organisations who regularly offer advice to patients who contacted them.
  3. HSCIC should contact recipients of data sets it provided in the period January 2014 – April 2016 (where Type 2 objections can be processed and upheld in accordance with the Direction) and make them aware that the data sets may include records relating to patients who have chosen to opt out. HSCIC should do this within three months of the undertaking.
    • Using its Data Access Release team and Data Release Register NHS Digital was able to identify the recipients of data sets provided between January 2014 and April 2016 that were likely to contain records of patients who had registered a Type 2 objection and not covered by an exemption. A letter was sent on 19 July 2016 (the day after the three months described in the undertaking expired), informing the recipient that the data set may include records as described above. Further contact was made if a recipient did not confirm receipt of the original correspondence. This was done by letter or telephone as appropriate. As of 19 October 2016 it was reported that all recipients had been successfully contacted.
  4. HSCIC should contact recipients of data sets it provided in the period January 2014 – April 2016 (which included patient data where Type 2 objections can be processed and upheld in accordance with the Direction) and where the agreement allowed the recipient to onwardly disseminate the data, to make them aware that this data should no longer be disseminated further. HSCIC should do this within three months of the undertaking.
    • It was identified that four data sharing agreements included provision to onwardly disseminate data. The circumstances of each were examined in detail and found that for each, for different reasons, no action was required in relation to the undertaking requirement
  5. HSCIC should contact recipients of data sets it provided in the period January 2014 – April 2016 (which included patient data where Type 2 objections can be processed and upheld in accordance with the Direction) to inform them that, where possible, the data sets should be destroyed or deleted and replaced with a new data set, which reflects patient opt outs, provided by HSCIC in its place. Whether it is possible to destroy or delete the data will depend on whether or not it has already been processed and used, such as in a research study or as part of business intelligence information made available to a Trust. HSCIC will collect and retain a certificate of destruction where it is possible for data to be destroyed or deleted.
    • As part of contacting the recipients of the relevant data sets as previously mentioned, NHS Digital advised that where possible the data sets should be destroyed / deleted. A log of destruction certificates has been kept where they have been provided to NHS Digital and requests for replacement data sets are being processed if appropriate.
  6. HSCIC should revisit the matter of objections following the completion of the National Data Guardian review and consider whether its systems and processes can be modified to allow the Type 2 objection to be applied in circumstances where this is not currently possible.
    • NHS Digital has stated that they have examined the National Data Guardian’s (NDG) review of data security, consent and opt-outs published 6 July 2016. NHS Digital reports that for the systems identified where it is currently accepted as not possible to apply the Type 2 objections the review does not change this situation. The NDG review does not recommend any changes to existing arrangements pending a full consultation on the proposed new consent/opt-out model. NHS Digital has undertaken that the systems identified will be examined again following the publication of the response by the Secretary of State to the NDG review, as there may be proposals made regarding legislative changes that impact the situation.
  7. Although NHS Digital took appropriate steps and put plans in place to address some of the requirements of the undertaking, the Commissioner found that further work needed to be completed by 18 April 2017 to fully address the agreed actions. In particular:
  8. HSCIC should ensure measures are put in place so that any patients affected by this incident can be made aware that it is possible that their personal data has been shared with third parties against their wishes. This process should be completed within six months.
    • NHS Digital has, as well as relying on the press coverage regarding the incident to raise awareness, published relevant information to the NHS Choices website on the right to opt-out of identifying information of patients being shared beyond their GP practice or NHS Digital. It has produced standard wording that was sent to all GP practices asking for the information be made available to patients. It also provided the same to both Healthwatch England and the Patients Association and requested they disseminate it throughout their organisations to aid in informing patients.
    • However, the requirement to make patient’s affected by the incident aware that their personal information has been shared with third parties against their wishes has not been fulfilled. The wording used on the NHS Choices website is “The HSCIC has started to uphold type 2 objections from 29 April 2016”. It does not make clear that there was sharing carried out prior to the date where objections made were not being honoured. There is an assumption that while mentioning that sharing occurs, and the objections will be honoured from 29 April 2016, the reader will know that prior to this date even though they had objected, that objection was not honoured and sharing took place. It must be considered if it is a reasonable assumption that the average individual would know that the delay caused inappropriate sharing. While correspondence to GPs and third party organisations is more detailed, there is no evidence that any did pass on the information to patients, or that GPs made it available to returning patients who attended their surgeries.
      NHS Digital should take further action:
    • To make it clear by amending published material that type 2 objections received prior to 29 April 2016 were not honoured prior to this date, and so information was shared incorrectly from January 2014.
    • To assess the effectiveness of the program of distributing material to GPs and other organisations to raise patient awareness of the failure honour received objections.
Northern Health & Social Care Trust
3 April 2017 (follow-up to Undertaking issued 19 July 2016)
DPA – 7th Principle
In March 2017 the Information Commissioner’s Office (ICO) conducted a follow-up assessment of the actions taken by Northern HSC Trust in relation to the undertaking it signed in July 2016. The objective of the follow-up is to provide the ICO with a level of assurance that the agreed undertaking requirements have been appropriately implemented.
Northern HSC Trust agreed to the undertaking following the Commissioner’s investigation of an incident involving 11 emails, which were intended for a doctor’s personal non-trust account, being sent to a member of the public with the same name over a two year period (DPA – 7th Principle).
The ICO noted that Northern HSC Trust has taken some steps to meet the requirements of the undertaking; however there are still some areas of concern which need addressing to mitigate the highlighted risks. In particular:
  1. The data controller must ensure that all staff, including locum doctors, 3rd Party contractors, temporary (agency /bank) staff and volunteers, whose role involves the routine processing of personal and sensitive personal data, undertakes mandatory data protection and data handling induction training and regular refresher training on the requirements of the Act.
    • All staff at the Trust are now required to do Information Governance (IG) awareness training during their induction. This training will then be refreshed every three years. The most recent compliance report that has been provided, states that 84% of staff have completed the IG Training and 84% of managers have completed the POPI training in December 2016. Although this is an improvement, the Trust still needs to ensure that all staff are completing the IG training within the given time. It has been reported that the IG Training booklet and package for locum doctors and agency staff is still under review. Due to the fact that this has yet to be implemented, there is still a risk that IG incidents will occur due to the lack of training. However the Trust has provided evidence showing that the contractual terms with external domiciliary care providers have been revised. This will reassure the trust the relevant IG training will be given to these contractual staff.
  2. Provision of such training shall be recorded and monitored with oversight provided at a senior level against agreed Key Performance Indicators (KPI)to ensure completion. In addition, the data controller shall implement follow-up procedures to ensure that staff who have not attended/completed training do so as soon as is practicable.
    • IG Training KPI and monitoring reports are being produced. These reports should be produced every quarter; evidence of the September report was received but nothing from this year. It has been reported that these reports are provided to all the directorates, the Trust Board and the Corporate Governance Steering Group. However no evidence has been provided to show that this information is being reported to the Trusts Board. The said reports are also used by management to monitor staff members that have not completed the training in given timeframe. Again there is no evidence showing this. There are also no processes in place to show what the consequences are if staff members repeatedly fail to complete the IG training.
  3. The data controller shall ensure that staff, including Locum doctors, 3rd party contractors, temporary (agency/bank) staff and volunteers are aware of the content and location of its policies and procedures relating to the processing of personal data, specifically the procedure for reporting and recording IG breaches. If not already in place, a mechanism to ensure that staff are updated of any changes to these policies and procedures should also be implemented.
    • Policies are kept on the Trusts staffnet website. During the staff departmental induction they are informed of where the policies are and which ones are specifically relevant to them. If there are any changes to policies or there are new policies implemented, staff are made aware of this via email and the staff newsletter. Managers will also mention any updates in team meetings, to inform staff who have not got access to email. However, no evidence of this was provided.
    • The Trust fully implemented Datix web in November 2016. Evidence has been provided showing that training and information has been given to all staff about this system and incident reporting in general. However, the Incident Management policy has yet to be updated with the new process for reporting incidents. The updating of this policy should be completed as soon as possible to ensure staff have guidance on what to do if an IG incident occurs.
  4. The data controller shall implement such other security measures as are appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and or damage.
    • The Trust created an IG improvement plan after the undertaking was issued. This plan has identified key risks that the Trust needs to look into; one of which was risk management. It was reported that an element of this risk has been addressed by ensuring risk assessments are completed and reviewed for all of the Trusts information assets. However, the Trust has not provided evidence to confirm this new procedure. The Trust has also stated that they are now ISO27001 compliant, which should help with the implementation of measures to ensure the security of the personal data they process. However, there has been no ISO27001 certificate or other evidence provided showing this. There are also regular reviews of IG incidents at the Trusts IG Forum. If any trends occur from incidents, lessons learnt can be discussed in this arena.
Pennine Care NHS Foundation Trust
21 February 2017
DPA – 7th Principle
The Information Commissioner (the “Commissioner”) was informed of several similar data protection incidents by Pennine Care NHS Foundation Trust (“the Trust”) over a twelve month period. The number of incidents reported is of concern especially as they are repeated in nature. The Commissioner also identified delays in reporting with limited information provided, even with ample time to conduct an internal investigation.
One of the incidents occurred in April 2015 and involved a CAMHS patient letter for a GP follow up being sent to a neighbour containing sensitive diagnosis information. On this occasion the envelope was not marked ‘private and confidential’ or for ‘addressee only’. This incident was seen to be representative of subsequent reported data breaches to the Commissioner, where personal information was posted to the wrong person in error.
Information Governance concerns have been raised within the CAMHS service in general, particularly related to an inconsistency with checking patient addresses on internal systems or on correspondence before being sent. There were also identified concerns around addressees on patient records not being kept up to date. During the Commissioner’s investigation into similar security incidents, it was also found that administrative tasks were being undertaken by clinicians who were not clear about the correct administration procedures to protect personal data.
A further data security incident occurring in July 2016 involved a letter being sent to an outdated address containing confidential mental health information and its impact on the committal of an offence. Whilst the confidential letter had been returned to the service, it had been opened by an unintended recipient and could have been accessed further, seeing as this was returned by a third party.
The investigation found that staff failed to check the Electronic Patient Record for the correct address and whilst this can be seen to be attributable to human error, there were concerns around the level of training undertaken by staff. Information Governance training was completed post incident and reliance only placed upon previous experience and college based training.
The data controller shall, as from the date of this Undertaking and for so long as similar standards are required by the Act or other successor legislation, ensure that personal data are processed in accordance with the Seventh Data Protection Principles in Part I of Schedule 1 to the Act, and in particular that:
  1. Procedures are put in place to ensure any reported breach of security relating to personal data is acted upon promptly and any containment and remedial measures are swiftly enforced. The Incident Reporting Policy should include provisions to train staff around reporting to timescales and to provide the most pertinent information to assist an investigation, internal categorisation and prompt remedial measures.
  2. The data controller shall ensure all processes within the CAMHS service are standardised across all teams and staff duties between administration staff and clinicians are clearly defined.
  3. To review and clarify relevant checking procedures when sending patient correspondence. This is to include procedures around patient record keeping to ensure they are kept up to date. Any related guidance should be disseminated to all staff.
  4. The completion of mandatory induction data protection training, in relation to both the requirements of the Act and the data controller’s policies concerning the use of personal data, is appropriately enforced. Completion of such training, including that of regular refresher training, shall be recorded and monitored to ensure compliance.
Royal Bank of Scotland
18 May 2017 (follow up to Undertaking issued 4 November 2016)
DPA – 7th Principle
On 15 May 2017 the Information Commissioner’s Office (‘ICO’) conducted a follow-up assessment of the actions taken by Royal Bank of Scotland (‘RBS’) in relation to the undertaking it signed on 4 November 2016. The objective of the follow-up is to provide the ICO with a level of assurance that the agreed undertaking requirements have been appropriately implemented.
RBS agreed to the undertaking following the Commissioner’s investigation of an incident that took place in October 2014, whereby dozens of faxes containing personal data were sent to an incorrect fax number belonging to a third party organization, despite being informed that faxes were regularly being sent to the incorrect number over a period spanning over 14 months (DPA – 7th Principle).
The review demonstrated that RBS has taken appropriate steps and put plans in place to address some of the requirements of the undertaking. However, further work needs to be completed by RBS to fully address the agreed actions.
RBS confirmed that it has taken the following steps:
  1. Procedures are put in place to ensure any reported breach of security relating to personal data is acted upon promptly and any containment and remedial measures are swiftly enforced;
    • The process for breach reporting within the retail bank has been reviewed and amended to make it easier for staff reporting a data protection breach, including instances where communications have been sent to a recipient in error. An amended ereporting form to log any data protection (‘DP’) breach was introduced in December 2016.
    • RBS has provided evidence of the guidance it has issued on MyKnowledge; which is an online tool and is the front line / branch staff’s first port of call for guidance on processes. This process has made it easy for staff to report a data protection breach. This guidance includes how to recognise a breach and contains a step by step guide including timescales, which stipulates that all breaches are required to be reported within 24 hours and where a breach meets the criteria for notification to the regulator, notification is to be submitted to the regulator within 72 hours.
  2. Fax procedures are implemented consistently across all branches and regularly monitored to ensure consistent standards. Compliance with any associated fax policy and guidance should be monitored on an ongoing basis and appropriate steps taken to ensure any failings are rectified with minimal delay by no later than 24 February 2017;
    • For those activities where there is currently no alternative to using faxes, RBS has provided evidence of the new fax procedure implemented in January 2017. The fax process includes the requirement to use pre-programmed numbers and any number added to the list must be double checked by a colleague.
    • RBS has provided information on how the new process acts to enforce any remedial measures resulting from a fax data breach. As part of the new fax process, branch managers carry out a weekly check for any faxes sent in error to the wrong recipient and log them as a DP breach. The DP breach logs are continuously monitored by the business, via ‘Privacy Champs’ who sit throughout RBS’ retail businesses. They check that appropriate corrective action is taken when DP breaches arise in their area and escalate any issues as required. The Privacy team further assesses all submissions on a monthly basis to spot trends and root causes, allowing for the identification of additional training and awareness needs. Monthly meetings are held with representatives across the retail bank. RBS states that attendees have been tasked with ensuring that Privacy matters are understood by their business areas with any areas of concern discussed and escalated to the Privacy team for guidance. However we have not been provided any evidence to support this.
    • Evidence has been provided to show how RBS’ Assurance teams have checked that the new fax process communication has been understood and is being implemented by their retail business, in the form of an Assurance thematic review which was conducted on 16 January 2017, three weeks after the implementation of the new fax process. This activity was completed by Control Quality Managers (‘CQM’) with support of the Business Embedding & Execution Managers across NatWest, Royal Bank of Scotland & Ulster Bank. The teams have visited 187 branches and spoken to 460 staff members.
    • RBS has also provided a copy of the Faxed Themed Review Outcome dated February 2017. The results show that 88% of staff were aware of the new fax process, 96% of staff were able to locate the policy and 78% of staff were aware of the process to follow if they were informed by a customer or a third party of a data protection breach. A check of the pre-programmed numbers showed 67% were inputted correctly and 32% incorrectly. Of the numbers not pre-programmed, only 39% followed exceptions. According to RBS, the themed review failings in these areas have been addressed by either the CQM during their visit or through local actions plans, however no evidence has been provided to support this.
  3. To ensure any alternative revised processes are fully tested for security and reliability and any related guidance is disseminated to all staff.
    • At the time of the review, this action had not been completed. However, whilst no evidence has been provided to support the progress of this action, RBS appears to be considering more secure methods for transferring personal data.
    • Work is presently under way to explore technical solutions which will allow switching from fax processes to electronic processes to allow for increased paperless processing within their branch network and telephony business. For example, the implementation of an email scanning solution is being pursued as the long-term alternative to using faxes.
    • A phased roll-out is underway and is planned to complete in the first half of 2018. This project is a priority project for the retail bank. Before introduction of any new technical solution it will be fully tested in line with the Bank’s standard processes and procedures and adequate controls put in place to protect customer data.
    • RBS should ensure that as soon as practical, all staff handling personal data are provided with relevant guidance in relation to any newly implemented technical solution and trained in those new procedures, in order to safeguard customer’s personal data.
  4. The data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.
    • RBS carries out ongoing security awareness and education activities. Through these activities, RBS promotes and maintains a “security aware” culture across the Bank that educates employees, contractors, third-party users, and business partners on how to protect bank information throughout its lifecycle. Employees are required to complete mandatory manual computer based training, guiding and reminding them of best practice.
    • The need for security and confidentiality is addressed through Bank policy (such as the Bank’s Security Policy and Privacy & Client Confidentiality Policy) including reminders to staff that data breaches must be promptly and fully internally reported once identified. A snapshot of the Security Policy dated 15 December 2016 has been provided, however this is not evidence of the above.
    • In addition RBS’ Security Policy requires the principles of least privilege and least access to be applied, to ensure that access is not authorised or available if there is no justified business requirement. Customers and Bank employees are identified and authorised before systems access is granted and access is regularly validated to ensure it remains appropriate.
However, RBS should take further action to fully address the agreed steps:
  • RBS has provided evidence of the content of a new training session which is available online for staff to highlight the revised breach reporting process and the importance of logging DP breaches. Managers can access this material and deliver it to staff as and when a need for particular staff training is identified. However, no evidence has been provided to show how many staff have received this training. RBS should implement monitoring and recording processes to assure that all staff who handles personal data receives this training and that it is included in any mandatory refresher training.
  • RBS has confirmed that staff are tested on their understanding of, and compliance with, the fax process on an ongoing basis. However, no evidence has been provided to confirm what percentage of staff have been tested, or whether any signed declarations are required from staff confirming their understanding of the new policy. RBS should therefore consider asking staff to sign a declaration to confirm their understanding of the new fax process and breach reporting procedure to ensure all staff are familiar with the new processes.
  • RBS has confirmed that a further Assurance review into the new fax process will take place once adequate time has passed for recommended updates to be implemented, however no evidence has been provided as to when this review will take place and how often monitoring of compliance will be undertaken. Whilst we note that progress has been made in this area, we would strongly advise that the follow up review is conducted as soon as possible to ensure the identified failings are addressed promptly.
Royal Free London NHS Foundation Trust
3 July 2017
DPA – 1st, 3rd, 6th, & 7th Principles
In response to media reports publicised in May 2016, the Information Commissioner (the 'Commissioner') was alerted to an arrangement between the Trust and DeepMind Technologies Limited (‘DeepMind’), a UK company and data processor, under which DeepMind was engaged to develop and deploy a new clinical detection, diagnosis and prevention application for the Trust. The Commissioner launched an investigation which primarily focused on the data processing undertaken during the clinical testing phase of the application.
The investigation determined that on 30 September 2015, the Trust entered into an agreement with Google UK Limited (an affiliate of DeepMind) to develop and deploy a new clinical detection, diagnosis and prevention application and the associated technology platform for the Trust. In order to undertake clinical safety testing of this application and technology platform DeepMind, for this purpose and under the terms of the aforementioned agreement, processed approximately 1.6 million partial patient records containing sensitive identifiable personal information held by the Trust.
The identifiable information in question included information on persons who had presented for treatment at the Trust in the previous five years for pathology tests, together with data from the Trust’s existing radiology and electronic patient record system. The purpose of requiring DeepMind to process such information was to enable the clinical safety testing and deployment in live operation of a new application and associated technology platform that would provide the Trust with a mobile electronic patient record and an alert, diagnosis and detection system for acute kidney injury. The clinical safety testing of that platform was undertaken by the Trust, using the application and technology hosted and maintained by DeepMind.
The Trust explained to the Commissioner that clinical safety testing at the relevant time was required by standards issued under the Health and Social Care Act 2012 and needed to be undertaken before new technology was deployed. The Commissioner has concluded however that these points need further exploration before a final view can be reached on them and expects to find them considered more fully in the Privacy Impact Assessment that the Trust is required to complete.
The platform went on to be formalised into a mobile device application, known as 'Streams'. From February 2017, the Streams application moved to live deployment and it is now in active use by the Trust’s clinicians. The Streams application is registered with the Medicines and Healthcare products Regulatory Agency as a Class I non-measuring device and is CE marked (a declaration of conformity with the EU’s Medical Devices Directive).
The agreement of 30 September 2015 set out the relationship between the Trust and Google UK Limited as one of a data controller to data processor, with the Trust retaining its data controller responsibilities throughout.
The Trust confirmed to the Commissioner that DeepMind was only provided access to patient records as a data processor. The Trust has also confirmed that DeepMind has never used that information for any purpose other than to conduct clinical safety tests and for the live operation of the application and associated technology platform set out above.
Data streaming between the Trust and DeepMind commenced on 18 November 2015. At that stage, the data was processed for clinical safety testing purposes only, and the Streams application was not in live deployment. This is an important point to note in the context of the conditions for processing that the Trust sought to rely upon at that stage.
All development and functional testing of the application and the related technology platform was undertaken by DeepMind using synthetic, non-personally identifiable, data. Pseudonymisation of the patient identifiable data was not undertaken for clinical safety testing. This is because the Trust was (and remains) of the view that it needed access to patient records in the application and technology platform in order to undertake clinical safety testing. The Trust is of the view that it is not possible to demonstrate clinical safety of a new technology of this type without access to information about real patients. The Trust was therefore of the view that the data was being held and made available for the purpose of direct patient care.
The Commissioner has concluded that there were a number of shortcomings in the way in which patient records were made available to DeepMind in support of the clinical safety testing of the Streams application by the Trust. These shortcomings amounted, in the Commissioner’s view, to non-compliance with the First, Third, Sixth and Seventh Data Protection Principles. These Principles are set out in Part I of Schedule 1 to the Act. The Commissioner considers that the data controller is also processing 'sensitive' personal data as defined by section 2(e) of the Act.
Principle One
The Commissioner's investigation determined that DeepMind processed approximately 1.6 million partial patient records to enable the clinical safety testing of the Streams application by the Trust. It is the Commissioner's view that patients were not adequately informed that their records would be processed for the purpose of clinical safety testing.
The Commissioner concluded that the data controller did not provide an appropriate level of transparency to patients about the use of their personal data during the clinical safety testing phase and that this processing was not something that the patients might reasonably expect. Specifically the Commissioner concluded that the fair processing information available to the patients was insufficient. Patients were not provided with sufficient notice that their records would be processed in support of the clinical safety testing of the Streams application. The Commissioner noted the recent improvements that have been made by the data controller to improve transparency and that a revised notice regarding live clinical use is now available.
The Commissioner was not satisfied that the Trust has, to date, properly evidenced a condition for processing that would otherwise remove the need for the Trust to obtain the informed consent of the patients involved for the processing of personal data for the clinical safety testing of the application prior to live deployment. As a result, during the Commissioner's investigation and to the Commissioner's satisfaction, the data controller has not been able to evidence a valid condition for processing personal data under Schedule 2 to the Act during the clinical safety testing phase of the application or to evidence a valid condition for processing sensitive personal data under Schedule 3 to the Act during the clinical safety testing phase of the application. The Commissioner therefore required the Trust to provide evidence that any future testing arrangements with DeepMind will comply with a processing condition in Schedule 2 and 3 to the Act.
The Commissioner worked closely with the Office of the National Data Guardian (the 'NDG') on the issue of whether the processing of the patient records during the clinical safety testing phase was in breach of the common law duty of confidentiality. The Trust maintains that the clinical safety testing of the application amounted to direct care so that it had the implied consent of its patients for confidentiality purposes, in accordance with the NDG’s guidance. The Commissioner has considered the advice given by the NDG on this issue earlier this year and in light of the Commissioner’s review and the NDG's view on the matter, the Commissioner considers it is likely that the processing of the records during the clinical safety testing phase was in breach of confidence and therefore not compliant with the First Data Protection Principle under the Act. The Commissioner has therefore required the Trust to provide evidence that any future development or testing arrangements with DeepMind are not in breach of its duty of confidence, as it relates to the First Data Protection Principle.
The Commissioner also notes that the Trust has adopted a revised notice and opt out approach, in line with the recent guidance of the NDG in order to enable compliance with patient confidentiality. Patients should also note that the Commissioner has not, in investigations to date, found grounds for concern regarding the data processing in the live use of the Streams application.
Principle Three
The Commissioner considered the Trust's representations as to why it was necessary for so many records (1.6 million) to be used to support the clinical safety testing of the application. The Commissioner was not persuaded that proper consideration was given to the necessity of processing so many patients' records. As such the Commissioner is of the view that the Trust has failed to demonstrate that the processing of such a large number of partial records was both necessary and proportionate to the purpose pursued by the data controller and that the processing was potentially excessive. The Commissioner did not receive evidence of whether lower volumes of records could have been used during the testing phase. Whilst the rationale for using the full range of records in the live clinical setting is now clearer, the Commissioner emphasises the importance of assessing the proportionality in future iterations of the application for testing or clinical purposes.
Principle Six
The Commissioner's investigation has determined that as patients were not provided with sufficient information about the processing and as a result those patients would have been unable to exercise their rights to prevent the processing of their personal data under section 10 of the Act. As set out above, the Trust has now taken further steps to ensure patients are aware of the use of their data for clinical safety testing and of their ability to opt out from such testing. This was not the case in 2015 and early 2016.
Principle Seven
Principle Seven requires that where a data processor carries out processing on behalf of a data controller, a contract evidenced in writing must be in place. Although there was a written information sharing agreement in place that set out the parties’ roles and imposed security obligations on the processor at the time DeepMind was given access to the data, the Commissioner's investigation has determined that this agreement did not in the Commissioner’s view go far enough to ensure that the processing was undertaken in compliance with the Act. It is the Commissioner's view that the information sharing agreement of 30 September 2015 did not contain enough detail to ensure that only the minimal possible data would be processed by DeepMind and that the processing would only be conducted for limited purposes. It is the Commissioner’s view that the requirements DeepMind must meet and maintain in respect of the data were not clearly stated. The Commissioner is also concerned to note that the processing of such a large volume of records containing sensitive health data was not subject to a privacy impact assessment ahead of the project's commencement.
The Commissioner does however recognise that the Trust has since replaced and improved the documentation in place between the Trust and DeepMind and has increased patient visibility of the use of data for the Streams application.
The data controller shall, as from the date of this Undertaking and for so long as similar standards are required by the Act or other successor legislation, ensure that personal data are processed in accordance with the First, Third, Sixth and Seventh Data Protection Principles in Part I of Schedule 1 to the Act, and in particular that:
  1. The data controller will, within two months, complete a privacy impact assessment explaining how the data controller will demonstrate compliance with the Act in relation to the arrangement with DeepMind, if and to the extent such arrangement involves the processing of personal data relating to patients, during any future (a) application development and functional testing and (b) clinical safety testing that in either case is either planned or already in process. The privacy impact assessment should contain specific steps to review and (where necessary) ensure transparency and the provision of the fair processing information to affected individuals;
  2. The data controller will, within one month of the date of the completion of the privacy impact assessment set out in (1) above, provide evidence that a condition for processing personal data under Schedule 2 to the Act applies in relation to its arrangement with DeepMind, if and to the extent such arrangement involves the processing of personal data relating to patients, to the use of such data for any further (a) application development and functional testing and (b) clinical safety testing which in either case uses patient data, and which in either case is either planned or currently in process;
  3. The data controller will, within one month of the date of completion of the privacy impact assessment set out in (1) above, provide evidence that a condition for processing sensitive personal data under Schedule 3 to the Act applies in relation to its arrangement with DeepMind, if and to the extent such arrangement involves the processing of personal data relating to patients, to any future (a) application development and functional testing; and (b) clinical safety testing, which in either case is either planned or currently in process;
  4. The data controller will, within one month of the completion of the privacy impact assessment set out in (1) above, provide the Commissioner with details of about how it will comply with its duty of confidence to patients as it relates to compliance with the First Data Protection Principle, in any future (a) application development and functional testing; and (b) clinical safety testing in relation to its arrangement with DeepMind if and to the extent such arrangements will use patient data and which in either case is either planned or in process;
  5. The data controller will commission, within three months of the date of this undertaking, a third party audit of the current processing arrangements between the data controller and DeepMind, including an audit of how the data processing agreement between the data controller and DeepMind is operating, in practice in order to ensure compliance with Act, and disclose the findings to the Commissioner. The audit scope should assess both the current live clinical use of the Streams application and (a) any future application development and functional testing and (b) clinical safety testing that in either case is either planned or already in process. It should also include consideration as to whether the transparency, fair processing, proportionality and information sharing concerns outlined in this undertaking are now being met. The Commissioner will first approve the data controller's choice of auditor and agree the terms of reference. The Commissioner will, in the interests of transparency and in acknowledging the wider public interest in this case, retain the discretion to publish parts or all of the audit findings as appropriate.
Wolverhampton City Council
28 March 2017 (follow-up to Undertaking issued 6 June 2016)
DPA – 7th Principle
During March 2017 the Information Commissioner’s Office (ICO) conducted a follow-up assessment of the actions taken by Wolverhampton City Council (WCC) in relation to the undertaking it signed on 2 June 2016. The objective of the follow-up is to provide the ICO with a level of assurance that the agreed undertaking requirements have been appropriately implemented.
WCC agreed to the undertaking following the Commissioner’s investigation of an incident that involved an email containing a spreadsheet holding the personal information of employees at 73 educational establishments, being sent in error to an external recipient (DPA – 7th Principle).
The ICO review found that WCC has taken steps and put plans in place to mainly address the requirements of the undertaking as follows:
  • A report was submitted to the Council's Strategic Executive Board on 19 July 2016, including a proposed action plan to ensure that the requirements of the ICO undertaking would be met.
  • A review of the ‘Protecting Information’ e-learning module was carried out and the module was updated.
  • An email was sent to employees in August 2016 who had not completed or that needed to retake the Protecting Information; eLearn, including a deadline of 30 September 2016 for completion. This was extended to the 30 November 2016 and if any of WCC’s employees had not completed it by that point, WCC ensured that they had completed it by the 3 March 2017 in line with the ICO’s undertaking requirements.
  • Between July 2016 and February 2017, a series of communications were issued across WCC to raise awareness of the ICO undertaking, including the requirement for all WCC employees to complete the Protecting Information e-learning module. These communications included: messages sent via email in the form of ‘Core Briefs’, email reminders from Organisational Development, messages published on WCC’s intranet, managing director briefings, specific internal red banner messages on WCC’s intranet and key message reminders at directorate and team meetings.
  • Additionally, WCC ran several Information Governance (IG) Surgeries during December 2016 and 15 IG Surgeries across 4 days during February 2017. These IG Surgeries were dedicated to delivering the Protecting Information eLearning training.
  • WCC continued to work with their Workforce Development Team and the Learning Pool (providers of the Learning Hub - the Council's e-learning training system), to implement a solution which would enable WCC to track and monitor employees training completion. This was implemented in July 2016.
  • The Learning Hub now has a tab which specifies that protecting information e-learning training is mandatory for all employees.
  • Between July 2016 and February 2017, regular updates on the completion of the protecting information e-learning training were provided to the Senior Strategic Board – with any follow-up action being undertaken by area directors.
  • WCC have confirmed that the Protecting Information e-learning refresher training will now take place every 12 months. WCC employees will receive an automated email reminder when they are due to complete the protecting information e-learning training.
  • Between 3 June 2016 and 2 January 2017, 98% of WCC’s employees had completed their Protecting Information e-learning 3 refreshing training and 86% of employees had completed their protecting information e-learning induction training.
  • Between 3 June 2016 and 3 March 2017, 99% of WCC’s employees had completed WCC’s mandatory induction and refresher Protecting Information e-learning training.
Although WCC has largely taken appropriate steps to comply with the undertaking, the ICO advised that WCC continue to work in the following areas to further improve their data protection compliance:
  1. The data controller shall devise and implement a system to ensure that completion of data protection training is monitored and that procedures are in place to ensure that staff who have not completed training within the specified time period do so promptly. This should be completed within three months of the undertaking.
    • As line managers are responsible for ensuring that their team/s completes any mandatory training, WCC should continue to look at providing managers with an additional dashboard solution that will provide them with information about which staff have completed the Protecting Information e-learning training.
    • WCC should consider producing a training communications plan each year to ensure continuous awareness of the Protecting Information e-learning training and the requirements of the Data Protection Act.
  2. The data controller shall ensure that all staff handling personal data receive data protection training and that this training is refreshed at regular intervals, not exceeding two years. The data controller should ensure that all staff that handle sensitive personal data regularly, receive refresher training within six months of the date of the undertaking, and all other staff have received refresher training within nine months of the date of the undertaking.
    • WCC should ensure that they monitor and produce statistical reporting information for the protecting information learning module, specifically in respect of employees that handle sensitive personal information.
Basildon Borough Council
22 May 2017
£150,000
DPA - 7th Principle
Factual background
Basildon Borough Council (the ‘Council’) is a local planning authority which is required to make decisions on planning applications. This involves its planning department uploading planning applications to its website in order to consult with the public.
On 16 July 2015, an administrator in the Council’s business services department received a planning statement (the ‘statement’) in support of a householder's application for proposed works in a green belt. The statement contained sensitive personal data relating to a static traveller family (the ‘family’) that had been living on the relevant site for many years. In particular, the statement referred to the family's disability requirements, including mental health issues, the names of all the family members, their age and the location of the site.
The Council’s policy and established approach was that personal would be redacted from such documents before being uploaded to the website. The planning technician, however, was inexperienced in checking the contents of documents relating to planning applications which contained sensitive information. He did not notice the information about the family that was embedded in the statement and therefore did not make any redactions. No procedure was in place for a second person to check such documents before they were uploaded. Consequently, the planning application, which contained sensitive personal data was uploaded onto the Council’s website on 16 July 2015 and remained available until it was removed on 4 September 2015.
ICO Finding
The ICO found that the Council failed to take appropriate organisational measures against the unauthorised processing of personal data (DPA – 7th Principle). Basildon did not have in place appropriate organisational measures for ensuring so far as possible that such an incident would not occur, i.e. for ensuring that statements containing sensitive personal data would not be published on Basildon's website. In particular, the Council did not:
  • have in place an adequate procedure governing the redaction of statements by planning technicians;
  • provide any (or any adequate) training to planning technicians on the redaction of statements;
  • have in place any guidance or procedures for a second planning technician or senior officer to check statements for unredacted data (and specifically sensitive personal data) before they were returned to the administrator; and
  • have in place any guidance for the administrator to check statements for unredacted data before they were uploaded to its website.
The Council had submitted that (i) it was obliged under the Town and Country Planning (Development Management Procedure) (England) Order 2015 (the ‘2015 Order’) to include the full contents (including any unredacted planning statements) of any application as part of its local authority planning register and (ii) where it chose to makes its planning register available it has no power to redact any details of its register. The ICO rejected these submissions for the following reasons:
  • The 2015 Order could not be construed so as to oust an individual’s rights under the Data Protection Act 1998, Directive 95/46/EC or Article 8 of the European Convention on Human Rights;
  • The Council’s duty to make the planning application available to members of the public did not entail including every single item of information which is included in the application;
  • Disclosure on a website is materially different from a right of inspection, and where the Council chooses to makes it planning register available it cannot override individuals’ rights under the Data Protection Act 1998, Directive 95/46/EC or Article 8 of the European Convention on Human Rights; and
  • If every single item of information submitted with a planning application should have been made publicly available on its website, this should have been made clear to applicants so that they could make informed decisions about what data to include in their applications.
The Commissioner considers that Basildon did not deliberately contravene the DPA, but rather the contravention was the result of serious oversight. Basildon knew or ought reasonably to have known that there was a risk that this contravention would occur.
Harm
The Commissioner found that the contravention was ‘serious’ due to the number of affected individuals, the sensitive nature of the personal data that was contained in the statement, the period of time for which this sensitive personal data was available online and the potential consequences for the affected individuals. The Commissioner also found the contravention was of a kind likely to cause substantial distress and/or damage, because sensitive personal data was published online for six weeks and Basildon failed to process the personal data in accordance with its own policies and within reasonable expectations of the individuals.
Aggravating factors
  • Basildon did not notify the affected individuals.
  • Basildon had not taken sufficient remedial action.
Mitigating factors
  • Basildon referred this incident to the Commissioner, removed the relevant data from its website and was co-operative during the Commissioner's investigation.
  • A monetary penalty might have a significant impact on Basildon's reputation.
  • Some of the personal data and sensitive personal data which Basildon should have redacted was otherwise available in a public document, namely the previously published report of a Planning Inspector.
  • The affected individuals do not appear to have become aware of or complained about this contravention. The Commissioner was not aware of the affected individuals actually suffering any damage or distress in this case.
Battersea Dogs’ and Cats’ Home
3 April 2017
£9,000
DPA – 1st Principle, 2nd Principle
Factual Background
Battersea Dogs & Cats Home (‘BDCH’) is an animal shelter which rescues cats and dogs in need of help, and nurtures them until an owner or a new home can be found.
BDCH used the services of external companies to undertake tele-matching on its behalf between November 2010 and July 2015. Tele-matching is the use of personal data to obtain and use telephone numbers which data subjects may have chosen not to provide to the data controller. The ICO understands that in the period between January 2011 and July 2015 BDCH processed a total of 740,181 records containing personal data for this purpose. This resulted in 385,709 records being matched and 229,476 individuals being contacted.
ICO Finding
The ICO considered that BDCH’s privacy notices in place at the relevant time did not indicate that personal data would be used for tele-matching purposes. The ICO found that BDCH did not process its supporters’ personal data fairly because BDCH did not have the required consent to use the data for tele-matching purposes and such activities were incompatible with the purposes explained in their privacy notices (DPA – 1st and 2nd Principles).
In particular, BDCH did not amend its privacy notices adequately, or obtain consent from the data subjects to the processing of data for tele-matching purposes.
The ICO is satisfied that these contraventions were deliberate, in the sense that BDCH’s actions were deliberate. While BDCH may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so. Alternatively, BDCH ought reasonably to have known that there was a risk of these contraventions occurring, and that they would be of a kind likely to cause substantial damage or distress.
Harm
The ICO was satisfied that the contraventions identified were ‘serious’ due to the duration of the contravention, the number of individuals affected, and potential significant consequences of the contravention, which included receiving additional marketing communications from BDCH and/or marketing communications using contact details which the data subjects may have declined to provide.
The ICO held that the contraventions were of a kind likely to cause substantial damage or substantial distress to the individuals concerned, taking into account:
  • At least some proportion of data subjects are likely to be distressed if BDCH uses personal data they have chosen to provide in order to obtain and use data which they have chosen not to provide, in order to contact them for direct marketing purposes. They are also likely to be distressed by not being told in advance that their personal data may be used in that way.
  • At least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional marketing approaches from the BDCH arising from its tele-matching practices.
  • Given the scale and duration of the contravention, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have been likely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • BDCH followed the unlawful practice described over a period of several years.
  • BDCH’s practice appears to have been driven by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • BDCH has contravened the fundamental rights of very large numbers of individuals to have their personal data processed in accordance with the Data Protection Act 1998 and Directives 95/46/EC.
  • By failing to adequately explain to data subjects how their personal data would be used, BDCH has deprived them of control and informed decision-making about their personal data to a significant extent.
  • BDCH’s activity has exposed the relevant data subjects to substantially distressing and/or damaging consequences, including: intrusions into their privacy due to increased direct marketing communications from BDCH. It is likely that many individuals will have been persuaded to increase their financial support. Those financial consequences will to a significant extent have flowed from BDCH’s unlawful data protection practice.
Mitigating Factors
  • BDCH co-operated with the ICO’s investigations.
  • BDCH is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • BDCH's practice may to an extent have reflected commonplace – albeit mistaken and unlawful – approaches in the charitable sector.
  • BDCH has taken remedial action.
  • The intended monetary penalty may have negative reputational consequences for BDCH.
Boomerang Video Ltd
9 June 2017
£60,000
DPA – 7th Principle
Factual Background
Boomerang Video operates a website that enables its customers to rent video games via a payment web application. The website was developed in 2005 by a third party company (the ‘data processor’). The login page on the website contained a coding error Boomerang Video was unaware of.
On 5 December 2014, an attacker exploited this vulnerability by using SQL injection to gain access to usernames and password hashes for the WordPress section of the site. One password was shown to be a simple dictionary word based on the company’s name. The attacker then uploaded a malicious web shell onto the web server to further compromise the system and gain access to the personal data of individuals stored within. On 30 December 2014, the attacker was able to query the customer database and download text files containing 26,331 cardholder details (including name, address, primary account number, and expiry date and security code). Although part of the primary account numbers were stored unencrypted, the attacker was able to gain access to the decryption key with ease, using information in configuration files on the web server. Industry guidelines prohibit the storage of the security code after payment authorisation.
This was an ongoing contravention from 2005 when the website was developed by the data processor until Boomerang Video took remedial action on 12 January 2015.
ICO Finding
The ICO found that Boomerang Video failed to take appropriate technical measures against the unauthorised or unlawful processing of personal data (DPA – 7th Principle).
The Commissioner also found that Boomerang Video did not have in place appropriate technical measures for ensuring the personal data stored on the customer database could not be accessed by an attacker performing an SQL injection attack. In particular Boomerang Video failed to:
  • carry out regular penetration testing on its website that should have detected the error;
  • ensure that the password for the WordPress account was sufficiently complex to be resistant to a brute-force attack on the stored hash values; and
  • keep the decryption key secure and prevent it being accessed by the attacker.
The Commissioner did not consider the contravention deliberate, but Boomerang Video ought reasonably to have known that there was a risk an attack performed by SQL injection would occur unless it ensured the personal data stored on the database was appropriately protected.
Harm
The Commissioner considered Boomerang Video’s failure to take adequate steps to safeguard against unauthorised or unlawful access ‘serious’ due to the number of data subjects, the nature of the personal data that was stored on the database and the potential consequences.
The Commissioner also found that the contravention was of a kind likely to cause substantial distress because of the number of data subjects and the nature of the personal data stored on the customer database. Further, ICO found that contravention caused damage because this information was misused by the person who had access to it, and exposed some of the data subjects to fraud.
Aggravating factors
  • Boomerang Video was not aware of this security breach until 9 January 2015 when it was notified by its customers.
  • Boomerang Video assessed itself to be compliant with the “Payment Card Industry Data Security Standard” despite failing to carry out penetration testing on its website.
  • Boomerang Video received approximately 1,100 complaints and enquiries as a result of this security breach.
Mitigating factors
  • Boomerang Video’s website was subjected to a criminal attack.
  • Boomerang Video reported this incident to the Commissioner and was co-operative during the investigation.
  • The data processor assured Boomerang Video that the payment security codes were not stored on the customer database.
  • Boomerang Video has now taken substantial remedial action.
  • A monetary penalty may have a significant impact on Boomerang Video’s reputation (and to some extent) its resources.
Brighter Home Solutions Ltd
12 May 2017
£50,000
PECR – Regulation 21
Factual Background
Brighter Home Solutions’ (‘BHS’) business involves making marketing calls to subscribers in order to sell its home improvement products and services including windows, doors, conservatories and kitchens.
Between 4 January 2016 and 26 August 2016, the Telephone Preference Service (‘TPS’) received 160 complaints about BHS. The TPS is a register of numbers allocated to subscribers who have notified the TPS that they do not wish to receive unsolicited calls for direct marketing purposes on those lines. The TPS referred all of those complaints to BHS and also notified the ICO. BHS did not respond to the TPS in relation to any of the complaints.
Some of the individual subscribers complained that the calls were misleading because the callers gave the impression that they were calling from a local number and were misled into believing that they may have been contacted by BHS previously and agreed at that time to receive further calls in the future.
After being contacted by the ICO, BHS explained that it purchased opt-in data from third party companies, which it then used to call individual subscribers to market its products and services. However, BHS hadn’t carried out any due diligence checks to ensure that the individual subscribers had given their consent to BHS to receiving such calls.
ICO finding
The ICO found that BHS made live marketing calls to subscribers who had registered with the TPS at least 28 days prior to receiving the calls and they had not given their prior consent to BHS to receive calls (Regulation 21 of PECR).
In particular:
  • BHS was unable to provide any evidence that it had undertaken appropriate due diligence in this case.
  • BHS was unable to provide sufficient evidence that the individuals to whom the text messages had been sent had consented to the receipt of those messages.
The ICO did not consider the contravention deliberate, but BHS failed to take reasonable steps to prevent the contravention and were therefore negligent.
Harm
The Commissioner was satisfied that the contravention was ‘serious’ because there were multiple breaches of regulation 21 by BHS over an 8 month period, which led to a significant number of complaints to the TPS and the ICO.
Aggravating Factors
  • BHS might obtain a commercial advantage over its competitors by generating leads from unlawful marketing practices.
  • BHS misled subscribers by displaying a false CLI (Calling Line Identification) that had the same area code as the subscriber. This led subscribers to think that the call was from someone in their local area. This was done as the subscriber was more likely to answer the telephone.
  • The call script used by BHS contained the misleading statement “… [we] are calling everyone back who did not receive our call or who may have asked us to call back this year. It was a while back so don’t worry if you do not remember receiving the call.” This was not necessarily always the case.
  • In October 2016 the ICO received evidence that although BHS had an up to date TPS registration, it had not accessed the system for at least the previous 4 months. As such, there was no evidence that company had screened its data against the TPS in order to avoid callings subscribers who did not wish to be called.
Mitigating Factors
  • There was a potential for damage to BHS’s reputation which may affect future business.
Cab Guru Limited
6 September 2017
£45,000
PECR – Regulation 22
Factual Background
Cab Guru Limited (‘Cab Guru’) is the company behind the mobile application called "Cab Guru", which allows customers to compare taxi and min cab fares and pickup times and then to book the selected service.
Cab Guru marketed this service by sending direct marketing text messages, inviting customers to download the application.
Between 27 May 2016 and 5 June 2016:
  • 360,373 unsolicited text messages were delivered;
  • 165 complaints were made via GSMA's Spam Reporting Service (the data from which the ICO is provided access to); and
  • One complaint was made to the ICO.
On 25 June 2016 the ICO wrote to Cab Guru requesting evidence of consent relied upon to send the text messages. Cab Guru stated that it had undertaken a one-day SMS marketing campaign targeted at customers, whose telephone numbers had been obtained from Cab Guru's associated taxi companies. Cab Guru did not obtain consent directly from the SMS recipient, however the associated taxi companies had asked customers for their consent to receive text messages.
The ICO subsequently requested copies of the customer agreements to evidence the consent relied upon. Cab Guru confirmed that there were no formal written contract/consent as the text message contact was requested by the customer via the online web booking form or mobile phone apps.
Upon further investigation, the ICO discovered that the associated cab companies incorporated an automatic agreement to marketing in privacy policies or terms & conditions for use of their services. The consent to the marketing was therefore a compulsory term rather than a discretionary one.
ICO Finding
The ICO found that Cab Guru successfully sent 360,373 unsolicited direct marketing text messages without the appropriate consent (Regulation 22 of PECR). Another further 346,277 had failed to send.
The ICO held that this contravention was not deliberate. However, Cab Guru knew or ought to have known that there was a risk that these contraventions would occur given that the issue of unsolicited text messages has been widely publicised by the media, and that the ICO had published detailed guidance in this area. Cab Guru had therefore been negligent in sending the text messages.
Further, the ICO found that Cab Guru failed to take reasonable steps to prevent the contravention. In particular, it failed to:
  • put in place appropriate systems and procedures to ensure that it had the specific consent of those whom it had sent marketing text messages; and
  • adequately record the source of the data used or retain evidence of any consent obtained.
Harm
The ICO was satisfied that the contravention caused distress among consumers, as evidenced by the large number of complaints made. Furthermore, the ICO determined that the contravention was 'serious' given the high number of contraventions, and the fact that this number could have been much larger, as 346,277 messages had failed to send.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Cancer Research UK
3 April 2017
£16,000
DPA – 1st Principle, 2nd Principle
Factual Background
Wealth screening
Cancer Research UK (‘CRUK’) used the services of a wealth screening company to analyse the financial status of its supporters in order to identify those that would have the capacity and propensity to make a larger donation to charity. The personal data which CRUK provided to the wealth screening company included supporters' names and addresses and information relating to their donation history. Between 2010 and 2016, CRUK processed 10,017,997 records for the purposes of wealth analysis relating to 3,523,566 supporters.
Tele-matching
CRUK also used the services of external companies to undertake tele-matching (tele-marketing is a data-matching by which telephone numbers are obtained and used) on its behalf. Since July 2011 it has matched at least 678,887 telephone numbers to supporters for whom it has other personal data.
ICO Finding
The Commissioner was satisfied that these contraventions were deliberate, in the sense that the actions of CRUK were deliberate. While CRUK may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so. Alternatively, CRUK ought reasonably to have known that there was a risk that the contraventions would occur, and that they would be of a kind likely to cause substantial damage or distress.
Wealth screening
The ICO found that CRUK unfairly processed individuals’ personal data because using their data to perform wealth screening was not in the reasonable expectation of those individuals and they were not informed that CRUK would adopt these techniques (through CRUK’s privacy policy or otherwise) (DPA – 1st Principle). The ICO also found that the purpose of wealth analysis was incompatible with the purposes for which the data were obtained (administrating the donation, and if the individual consented, for marketing purposes) (DPA – 2nd Principle).
Tele-matching
The ICO also found that it was unfair for CRUK to use the data for data-matching and/or tele-matching purposes without consent of the data subjects and that such activities were incompatible with the purposes explained in their privacy notices (DPA – 1st Principle, 2nd Principle).
Harm
The ICO considered that the contraventions were serious because of the length of time over which the contraventions took place, the number of data subjects whose rights were infringed and the data subjects were likely to have been affected by those contraventions in significant practical ways.
The ICO was satisfied that these contraventions were of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed as a result of the contravention;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional approaches from CRUK; and
  • given the scale and duration of the contraventions, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have beenlikely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • CRUK has followed the unlawful practices over a period of several years.
  • CRUK's practices appear to have been driven by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • CRUK has contravened the fundamental rights of very large numbers of individuals to have their personal data processed in accordance with the Data Protection Act 1998 and Directive 95/46/EC.
  • By failing to adequately explain to data subjects how their personal data would be used, CRUK has deprived them of control and informed decision-making about their personal data to a significant extent.
  • CRUK's activities have exposed the relevant data subjects to substantially distressing and/or damaging consequences, including intrusions into their privacy due to increased direct marketing communications from CRUK. It is likely that many individuals will have been persuaded by CRUK to increase their financial support. Those financial consequences will to a significant extent have flowed from CRUK's unlawful data protection practices.
Mitigating Factors
  • CRUK co-operated with the Commissioner's investigations.
  • CRUK is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • CRUK has taken remedial action.
  • CRUK's practices may to an extent have reflected commonplace - albeit mistaken and unlawful - approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
Cancer Support UK (formerly Cancer Recovery Foundation UK)
3 April 2017
£16,000
DPA – 1st Principle, 2nd Principle
Factual Background
Cancer Support UK (‘CSUK’) is a charity that provides practical and emotional support to people with cancer, during and after the treatment period.
CSUK shared the names and addresses of its supporters with third party organisations. CSUK also participated in the Reciprocate Scheme, a scheme run by an external company which enabled participating charities to share or swap the personal data of donors or prospective donors. The Commissioner understands that CSUK no longer shares personal data of its supporters in this way.
CSUK shared 3,075,550 records of its supporters between April 2010 and August 2016 with other organisations and charities through recognised list brokers who were “DPA-compliant”.
ICO Finding
The ICO found that CSUK did not process data fairly because the terms of CSUK’s privacy notice did not provide data subjects with adequate information as to how their personal data would be shared with third parties (DPA – 1st Principle). The ICO also found that such sharing was incompatible with the purposes explained in CSUK’s privacy notices (DPA – 2nd Principle).
In particular:
  • CSUK failed to take reasonable steps to prevent these contraventions from occurring.
  • CSUK did not amend its privacy notice adequately. The ICO was satisfied that these contraventions were deliberate, in the sense that the actions of CSUK were deliberate. While CSUK may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so. Alternatively, CSUK ought reasonably to have known that there was a risk that the contraventions would occur, and that they would be of a kind likely to cause substantial damage or distress.
Harm
The ICO considered these contraventions to be ‘serious’ due to the number of individuals affected, the duration of contravention, and potential consequences of the contravention.
The ICO was satisfied that these contraventions were of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed if their personal data is shared by one charity with another for the purposes of the latter's fundraising efforts, without it being made sufficiently clear to the data subject that this would happen;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with approaches from the bodies with which their data was shared; and
  • given the scale and duration of the contraventions, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have been likely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • CSUK had followed the unlawful practice over a period of several years.
  • CSUK's practice appears to have been driven by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • CSUK had contravened the fundamental rights of very large numbers of individuals to have their personal data processed in accordance with the Data Protection Act 1998 and Directive 95/46/EC.
  • By failing to adequately explain to data subjects how their personal data would be used, CSUK has deprived them of control and informed decision-making about their personal data to a significant extent.
  • CSUK's activities exposed the relevant data subjects to substantially distressing and/or damaging consequences, including intrusions into their privacy due to increased direct marketing communications from CSUK and /or other charities. It is likely that many individuals will have been persuaded - by CSUK and/or other charities - to increase their financial support. Those financial consequences will to a significant extent have flowed from CSUK's unlawful data protection practice.
Mitigating Factors
  • CSUK co-operated with the Commissioner's investigations.
  • CSUK is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • CSUK's practices may to an extent have reflected commonplace - albeit mistaken and unlawful - approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
Concept Car Credit Limited
12 May 2017
£40,000
PECR – Regulation 22
Factual Background
Concept Car Credit Limited (the ‘Company’) is a used car dealer offering both cars for sale and brokering car finance.
Over an 18 month period between 2015 and 2016, the Company used a public telecommunications service for the purposes of instigating the transmission of 336,000 unsolicited communications by means of text message to individual subscribers for the purposes of direct marketing.
Between 9 April 2015 and 5 March 2016, 66 complaints were made to GSMA’s Spam Reporting Service, or direct to the ICO, about the receipt of unsolicited direct marketing text messages sent on behalf of the Company. The GSMA’s Spam Reporting Service allows mobile users to report the receipt of unsolicited marketing text messages to the GSMA, who makes such complaints data available to the ICO.
The Company explained that it had obtained the data used to send the text messages from a number of third parties with whom they hold introducer agreements between 2012 and 2016. However, the Company was unable to provide sufficient evidence that the individuals to whom the text messages had been sent had consented to the receipt of those messages.
ICO finding
The ICO found that the Company did not have the consent of the 336,000 subscribers to whom it had instigated the sending of unsolicited direct marketing text messages (PECR – Regulation 22).
In particular:
  • The Company was unable to provide any evidence that it had undertaken appropriate due diligence in this case.
  • The Company was unable to provide sufficient evidence that the individuals to whom the text messages had been sent had consented to the receipt of those messages.
  • The Company failed to take reasonable steps to prevent the contraventions in this case.
The Commissioner was satisfied that the contravention was not deliberate, however, the Company knew or ought reasonably to have known that there was a risk that these contraventions would occur.
Harm
The ICO considered the contravention ‘serious’ because there were multiple breaches of Regulation 22 of PECR by the Company over an 18-month period. In addition, a large number of complaints were made to the ICO and GSMA’s Spam Reporting Service.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Construction Materials Online Ltd
26 April 2017
£55,000
DPA – 7th Principle
Factual Background
Construction Materials Online Ltd (‘CMO’) operated a website that had been developed by a third party company. The website enabled its customers to purchase building products online by entering their card details which were then encrypted and sent directly to an external payment system. However, CMO were unaware that the login pages contained a coding error.
An attacker exploited this vulnerability and gained access to usernames and passwords. The attacker uploaded a ‘malicious web shell’ to further compromise the system and on 6 May 2014 was able to modify payment pages and access 669 unencrypted cardholder details at the point of entry to the website. This included names, addresses, primary account numbers and security codes.
ICO Finding
The ICO found that although CMO did not deliberately contravene the DPA, CMO failed to take appropriate technical measures against the unauthorised or unlawful processing of personal data (DPA – 7th Principle). This was a serious oversight.
The ICO found that CMO ought reasonably to have known that there was a risk of an attack occurring which was likely to cause substantial damage or distress unless the data processed on its website was appropriately protected.
Harm
The ICO found that owing to the number of data subjects, nature of the information which was stolen and potential consequences, the attack was ‘serious’.
The ICO found that there was a risk the contravention would be of a kind likely to cause substantial damage or distress, particularly as the information was misused by the person who had access to it, exposing the customers to fraud.
Aggravating Factors
  • CMO was not aware of the security breach until notified by a customer.
  • CMO received approximately 50 complaints and enquiries from its customers as a result of the security breach.
Mitigating Factors
  • CMO’s website was subjected to a criminal attack.
  • CMO notified the data subjects so that fraudulent transactions were intercepted.
  • CMO was co-operative during the ICO’s investigation.
  • CMO took substantial remedial action.
  • A monetary penalty might have a significant impact on CMO’s reputation and to some extent its resources.
Data breach by a barrister
10 March 2017
£1,000
DPA – 7th Principle
Factual Background
The data controller is a senior barrister who specialises in family law.
The barrister created documents at home on her standalone desktop computer. The computer was password protected but the files were unencrypted. In January 2013, the Bar Council issued guidance to barristers that specific files may require encryption to prevent unauthorised access to confidential matters by shared users. On 19 September 2015, the barrister's husband temporarily uploaded the barrister's files (725 documents) to an online directory to back them up before a software update.
On 5 January 2016, a local authority solicitor informed the barrister's Chambers that the documents containing confidential and sensitive information could be accessed on the internet. 15 of these were cached and indexed so could be easily accessed using a recognisable word. 6 of the 15 contained confidential and highly sensitive information relating to lay clients who were involved in proceedings in the Court of Protection and the Family Court.
Between 200 and 250 individuals were affected by this incident, including vulnerable adults and children.
ICO Finding
The ICO found that the barrister did not have in place appropriate technical measures for ensuring that such an incident would not occur, i.e. for ensuring that her files could not be accessed by unauthorised third parties (DPA – 7th Principle). In particular, the barrister did not encrypt her files.
The Commissioner considered the contravention the result of a serious oversight rather than deliberate intent to ignore or bypass the provisions of the DPA. However, the Commissioner was satisfied that the barrister ought reasonably to have known that there was a risk that such an incident would occur unless she ensured that the files held on her desktop computer were technically secured.
Harm
The ICO was satisfied that the contravention was ‘serious’ due to the number of affected individuals, the nature of the personal data contained in the files and the potential consequences.
The files contained confidential and highly sensitive information relating to 200 to 250 individuals, some of whom were adults and children in vulnerable circumstances. The ICO considered that the contravention was of a kind likely to cause distress to the barrister's lay clients if they knew that their confidential and highly sensitive information has been accessed by unauthorised third parties and could be further disseminated or misused.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
  • The barrister was fully co-operative with the ICO.
  • The barrister has taken remedial action.
Digitonomy Limited
13 February 2017
£120,000
PECR – Regulation 22
Factual Background
Digitonomy is a credit broker which introduces borrowers and lenders for the purposes of entering into loan agreements. It generates leads for its businesses though affiliates who send marketing text messages directing individuals to websites owned by them.
Between 6 April 2015 and 29 February 2016, 1408 complaints were received by the GSMA's Spam Reporting Service and a further 56 complaints were received by the ICO, relating to the receipt of unsolicited direct marketing text messages sent by Digitonomy. The GSMA’s Spam Reporting Service allows mobile users to report the receipt of unsolicited marketing text messages to the GSMA, who makes such complaints data available to the ICO. The ICO identified unsolicited direct marketing text messages sent by Digitonomy as being in the "Top 20" messages reported to the GSMA.
Digitonomy's attempted to send 5,900,940 text messages during the period of complaint, of which 5,238,653 were successfully transmitted.
ICO Finding
The ICO found that Digitonomy had not received freely given, specific and informed consent from individuals to receive marketing text messages (Regulation 22 of PECR).
The ICO did not consider the contravention deliberate but Digitonomy should have known or ought reasonably to have known that there was a risk that this contravention would occur. The ICO found that Digitonomy had failed to take reasonable steps to prevent the contravention, stating that it had failed to undertake sufficient due diligence.
Harm
The ICO was satisfied that the contravention was 'serious' due to the large number of direct marketing text messages sent to subscribers without their consent and the resulting large number of complaints.
Aggravating Factors
  • Digitonomy might obtain a commercial advantage over its competitors by generating leads from unlawful marketing practices.
Mitigating Factors
  • There is potential for damage to Digitonomy's reputation which may affect future business.
Easyleads Limited
14 September 2017
£260,000
PECR – Regulations 19 and 24
Factual Background
Easyleads Limited (‘Easyleads’) is a marketing firm based in Coventry.
Between 22 October 2015 and 30 June 2017, Easyleads made 16,730,340 marketing calls to subscribers without their prior consent, resulting in 551 complaints to the ICO.
The automated calls contained recorded messages from Easyleads regarding an entitlement to a grant to replace oil or LPG boilers ‘totally free of charge’.
Many of the complaints reported that multiple calls were received and that there was an inability to opt-out of the calls. Others expressed distress as individuals would be expecting urgent calls only to receive an automated message about replacement boilers. Calls were also being made late at night and in the early hours of the morning with particular frequency over the May 2017 bank holiday weekend.
Easyleads was unable to provide evidence that it had the consent of the individuals to carry out such marketing calls.
ICO Finding
The ICO was satisfied that Easyleads did not have the consent of the individuals to whom it had made 16,730,340 automated direct marketing calls (Regulation 19 of PECR). The ICO also found that Easyleads failed to include the company name, address and telephone number in their automated messages, pursuant to the requirements of Regulation 24 of PECR.
In particular, the ICO highlighted the following:
  • The wording of some of the automated calls was misleading in that it referred to a ‘government scheme’ and the offer of a ‘free boiler’.
  • Whilst the automated calls offered an ‘opt-out’ option, there is evidence to suggest that repeat calls were made to subscribers regardless of this.
  • There was a failure to ensure that an effective suppression system was in place to prevent repeat calls to those who had opted out.
The Commissioner is satisfied that Easyleads Limited did deliberately contravene Regulation 19 of PECR in that its actions which constituted the contravention were deliberate.
Harm
The ICO was satisfied that the contravention was 'serious' due to the sheer extent of the contravention: Easyleads made over 16 million automated marketing calls without the prior consent of the affected individuals. This resulted in 551 complaints being made to the ICO. In particular, complainants expressed distress as some would be expecting urgent calls only to receive an automated message about replacement boilers. However, no financial loss is noted.
Aggravating Factors
  • Within 9 days of receiving a letter from the ICO to confirm that it was under investigation, Easyleads carried out a further marketing campaign and continued to make automated marketing calls.
  • The ICO’s direct marketing monthly threat assessments showed that one of the CLI's used by Easyleads was the most complained about number for automated calls for four consecutive months, from March 2017 to June 2017.
  • Easyleads failed to engage with the ICO in assisting with its investigations, and have failed to respond to queries.
Mitigating Factors
There were no mitigating features
Flybe Limited
20 March 2017
£70,000
PECR – Regulation 22
Factual background
Flybe Limited (‘Flybe’) is a large regional airline carrier, based in Exeter.
On 15 August 2016 it sent 3,662,973 e-mails to individuals entitled "Are your details correct?”. 3,333,940 of these were successfully received. The e-mail advised individuals to amend any out of date information and update any marketing preferences. The e-mail also instructed that by updating their preferences they may be entered into a prize draw.
Flybe used a third party agent to distribute bulk e-mails. The agent holds Flybe's customer database and maintains the list of opt-in and opt-out individuals for direct marketing purposes. On this occasion, Flybe requested that its agent send e-mails to customers who had previously explicitly opted out of direct marketing.
ICO Finding
The ICO found that on 15 August 2016, Flybe instigated the transmission of 3,333,940 unsolicited communications by e-mail to individual subscribers for the purposes of direct marketing without their consent (Regulation 22 of PECR).
In addition, Flybe also instigated the sending of a further 329,033 marketing e-mails. Although these were not received by individuals it evidences an attempt to send large volumes of marketing e-mails to individuals without consent to do so.
As the instigator of the e-mails, it was the responsibility of Flybe to ensure that sufficient consent had been acquired. The ICO was satisfied that Flybe did not have the required consent and deliberately contravened Regulation 22 of PECR.
Harm
The ICO was satisfied that the contravention was ‘serious’ due to the large volume of direct marketing emails sent to subscribers without their consent. Flybe were aware that the email was being sent to individuals who according to its records, had previously indicated that they did not consent to receive direct marketing.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
The Guide Dogs for the Blind Association
3 April 2017
£15,000
DPA – 1st Principle, 2nd Principle
(PECR – Regulation 21 also considered, but was not a basis for the monetary penalty)
Factual Background
The Guide Dogs for the Blind Association (‘GBDA’) is a British charitable organisation founded in 1934.
Wealth screening
The GDBA used the services of wealth screening companies to analyse the financial status of its supporters in order to identify wealthy or high value individuals. The personal data which the GDBA provided to the wealth screening companies included supporters' names and addresses and information relating to their donation history. The GDBA informed the ICO that it had undertaken such activity in respect of its entire database of donors in 2008 and 2012, and more specific activity in 2010 and 2015. In total, the GDBA performed wealth screening on over 1.7m data subjects.
Data-matching and tele-matching
The GDBA had used the services of an external company to undertake tele-matching on its behalf since at least 2010. The GDBA has 248,094 matched telephone numbers on its database, of which 165,730 are Telephone Preference Service (‘TPS’) registered. The TPS is a register of numbers allocated to subscribers who have notified the TPS that they do not wish to receive unsolicited calls for direct marketing purposes on those lines. 163,180 of those have been added to the database since 6 April 2010.
The GDBA did not have specific consent from data subjects for whom it had matched telephone numbers, but who were TPS registered, to receive live telephone calls from the GDBA. It relied on generic consents provided to it by its commercial third party tele-matching data provider. Those generic consents referred only to contact from third parties and not to the GDBA. The GDBA accepted that until the summer of 2015, it did not screen its tele-matched calls against the TPS registration list.
The GDBA also used the services of an external company to identify donors to the GDBA who had not agreed to gift aid their donations by reference to donations they had made to other charitable organisations where gift aid was agreed. Those identified donors would then be contacted by the GDBA with material about using gift aid.
ICO Finding
The ICO was satisfied that the contraventions of the Data Protection Act 1998 (‘DPA’) were deliberate, in the sense that the actions of the GDBA were deliberate. While the GDBA may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so. The ICO also found that the GDBA failed to take reasonable steps to prevent the contraventions of the DPA from occurring.
Wealth screening
The ICO found that the GDBA unfairly processed individuals’ personal data because using their data to perform wealth screening was not in the reasonable expectation of those individuals and they were not informed that GDBA would adopt these techniques (through the GDBA’s privacy policy or otherwise) (DPA – 1st Principle). The ICO also found that the purpose of wealth analysis was incompatible with the purposes for which the data were obtained (administrating the donation, and if the individual consented, for marketing purposes) (DPA – 2nd Principle).
Data-matching and tele-matching
The ICO also found that it was unfair for the GDBA to use the data for data-matching and/or tele-matching purposes without consent of the data subjects and that such activities were incompatible with the purposes explained in their privacy notices (DPA – 1st Principle, 2nd Principle).
The ICO also considered that by making telephonic contacts with persons who had not provided their specific consent to receiving direct marketing telephone calls from the GDBA and who were TPS registered the GDBA had contravened Regulation 21 of PECR. This contravention was recorded by the ICO as an additional matter of concern but was not used as a basis for the MPN.
Harm
The ICO considered that the contraventions of the DPA were serious because of the length of time over which the contraventions took place, the number of data subjects whose rights were infringed and the data subjects were likely to have been affected by those contraventions in significant practical ways.
The ICO was satisfied that these contraventions were of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed as a result of the contravention;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional approaches from the GDBA; and
  • given the scale and duration of the contraventions, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have beenlikely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • The GDBA had followed the unlawful practices described above over a period of several years.
  • The GDBA's practices appear to have been driven by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • The GDBA had contravened the fundamental rights of very large numbers of individuals to have their personal data processed in accordance with the DPA and Directive 95/46/EC.
  • By failing to adequately explain to data subjects how their personal data would be used, the GDBA had deprived them of control and informed decision-making about their personal data to a significant extent.
  • The GDBA's activities as described above have exposed the relevant data subjects to substantially distressing and/or damaging consequences, including intrusions into their privacy due to increased direct marketing communications from the GDBA. It is likely that many individuals will have been persuaded by the GDBA to increase their financial support. Those financial consequences will to a significant extent have flowed from the GDBA's unlawful data protection practices.
  • It is likely that the GDBA have also contravened Regulation 21 of PECR.
Mitigating Factors
  • The GDBA co-operated with the Commissioner's investigations.
  • The GDBA is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • The GDBA has taken remedial action.
  • The GDBA's practices may to an extent have reflected commonplace - albeit mistaken and unlawful - approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
Gloucester City Council
26 May 2017
£100,000
DPA – 7th Principle
Factual Background
On 17 April 2014 the Council’s IT staff identified a vulnerability in its own systems when using an appliance known as ‘SonicWall’.
A software patch for the vulnerability was available by the time of discovery, but the Council’s third party IT outsourcers overlooked it and therefore the software patch was not applied.
In July 2014, Senior Officers of the Council had their Twitter accounts compromised by an attacker who also gained access to 16 user mailboxes via the vulnerability in the SonicWall appliance. The attacker was able to download 30,000 emails from these mailboxes which contained financial and sensitive personal information on approximately 40 members of current or former staff.
ICO Finding
The ICO found that the Council failed to take appropriate technical and organisational measures for ensuring that emails containing financial and sensitive personal information could not be accessed (DPA – 7th Principle). In particular, the Council did not have a process in place to ensure that during outsourcing of its IT services the software watch was applied.
Harm
The ICO found that the Council’s current or former staff had an expectation that their financial and sensitive personal data would have been held securely and that the Council’s failure to do so had likely caused distress to the affected current and former staff.
The ICO also found that as the attacker had not been identified and the emails had not been recovered, further disclosure was possible and could cause damage as well as additional distress.
Aggravating Factors
  • The Council was not aware of the incident until the attacker notified it.
  • The attacker had the option to download even more emails if they had chosen to do so.
Mitigating Factors
  • The Council’s website was subject to a criminal attack.
  • The Council reported the incident to the ICO and was co-operative during the investigation.
  • The Council has taken significant remedial action.
  • The intended monetary penalty may have a significant effect on the Council’s reputation and (to some extent) its resources.
Great Ormond Street Hospital Children’s Charity
3 April 2017
£11,000
DPA – 1st Principle, 2nd Principle
Factual Background
Great Ormond Street Hospital Children’s Charity (‘GOSHCC’) is an academic medical research centre specialising in paediatrics.
Sharing personal data with third parties
Between 2011 and September 2015, GOSHCC participated in the Reciprocate Scheme. During this period the GOSHCC disclosed batches of records containing unique reference numbers; names; addresses; last donation amount, Gift Aid status; and information about donation type. In total, GOSHCC disclosed 910,283 batches of records containing personal data to around 40 other charities while participating in the scheme.
Wealth screening
GOSHCC also used the services of a wealth screening company to run two campaigns to analyse the financial status of its supporters in order to identify those that would have the capacity and propensity to make a larger donation, and to predict whether they were likely to leave a legacy. The personal data which GOSHCC provided to the wealth screening company included supporters’ names, telephone numbers and email addresses. Between April 2010 and June 2016 it had processed on average 795,000 records for the purposes of wealth screening per month.
Data-matching
Between 2012 and 2015, GOSHCC used the services of an external company to match email addresses to individual supporters’ records. GOSHCC matched 103,500 email addresses to the personal data of supporters. GOSHCC also matched 208,000 dates of birth to individual supporters’ records.
ICO Finding
The ICO was satisfied that the contraventions were deliberate, in the sense that the actions of GOSHCC were deliberate. While GOSHCC may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so. The ICO also found that GOSHCC failed to take reasonable steps to prevent the contraventions of the DPA from occurring.
Sharing personal data with third parties
The ICO found that GOSHCC unfairly processed individuals’ personal data because the terms of its privacy notice were unduly vague and/or ambiguous and did not provide data subjects with adequate information as to how their personal data would be shared via the schemes (DPA – 1st Principle). The ICO also found that the sharing of personal data via the schemes was incompatible with the purposes explained in GOSHCC’s privacy notices (DPA – 2nd Principle).
Wealth screening
The ICO found that GOSHCC unfairly processed individuals’ personal data because using their data to perform wealth screening was not in the reasonable expectation of those individuals and they were not informed that GOSHCC would adopt these techniques (through GOSHCC’s privacy policy or otherwise) (DPA – 1st Principle). The ICO also found that the purpose of wealth analysis was incompatible with the purposes for which the data were obtained (administrating the donation, and if the individual consented, for marketing purposes) (DPA – 2nd Principle).
Data-matching and tele-marketing
The ICO found that it was unfair for GOSHCC to use the data for data-matching purposes without consent of the data subjects and that such activities were incompatible with the purposes explained in their privacy notices (DPA – 1st Principle, 2nd Principle).
Harm
The ICO considered that the contraventions were serious because of the length of time over which the contraventions took place, the number of data subjects whose rights were infringed and the data subjects were likely to have been affected by those contraventions in significant practical ways.
The ICO was satisfied that these contraventions were of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed as a result of the contravention;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional approaches from GOSHCC; and
  • given the scale and duration of the contraventions, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have beenlikely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • GOSHCC had engaged in the unlawful practices over a period of several years.
  • GOSHCC’s practices were driven by financial gain, this is aggravated by the fact that the public may expect charities to be especially vigilant in complying with their legal obligations.
  • GOSHCC had contravened the fundamental right of data subjects to have their personal data processed in accordance with the Data Protection Act 1995 and Directive 95/46/EC.
  • By failing to adequately explain to the data subjects the manner in which their personal information would be processed, GOSHCC had deprived the individuals of control and informed decision making about their personal data.
  • GOSHCC's activities exposed the relevant data subjects to substantially distressing consequences, including intrusions into their privacy due to increased direct marketing communications. It is likely that many individuals will have been persuaded by GOSHCC to increase their financial support. Those financial consequences will to a significant extent have flowed from GOSHCC's unlawful data protection practices.
Mitigating Factors
  • GOSHCC co-operated with the Commissioner’s investigations.
  • GOSHCC is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • GOSHCC took remedial action.
  • GOSHCC’s practices may to an extent have reflected commonplace—albeit mistaken and unlawful—approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
Greater Manchester Police
2 May 2017
£150,000
DPA – 7th Principle
Factual Background
In 2015 Greater Manchester Police (‘GMP’) sent three unencrypted DVDs by Recorded Delivery to the Serious Crime Analysis Section (‘SCAS’). The DVDs contained footage of police interviews with victims of serious violent or sexual crimes in ongoing cases. The victims were named and talking openly about the crimes.
The SCAS did not receive the DVDs and they have not been recovered.
ICO Finding
The ICO found that GMP failed to take appropriate organisational measures against unauthorised or unlawful processing of personal data and against accidental loss of personal data (DPA – 7th Principle). GMP should have known or ought to have envisaged those risks and it did not take reasonable steps to prevent the loss.
The sending of similar DVDs by recorded delivery was an ongoing contravention from 2009 until this incident in 2015.
The ICO did not consider this contravention to be deliberate, however, the GMP should have known or ought to reasonably have known that there was a risk that this contravention would occur.
Harm
The ICO is satisfied that the contravention identified was ‘serious’ because the DVD’s contained highly sensitive personal data. The ICO found that the loss of the DVDs was likely to cause substantial damage or distress to the victims. This included distress that their highly sensitive personal data could have been accessed by individuals who had no right to see that information. This could lead to further distress if that information was misused by untrustworthy third parties.
Aggravating Factors
  • The DVDs were not password protected.
Mitigating Factors
  • GMP referred the incident to the ICO and SCAS.
  • GMP was cooperative during the investigation.
  • As far as the ICO is aware, the information on the DVDs has not been further disseminated.
  • GMP notified the affected individuals and provided support.
  • GMP has taken remedial action until a technical solution can be found.
  • A monetary penalty may have a significant impact on GMP’s reputation.
H.P.A.S. Limited t/a Safestyle UK
31 July 2017
£70,000
PECR – Regulation 21
Factual Background
Safestyle’s business involves making marketing calls to subscribers in order to sell its products and services, including windows and doors to homeowners.
Between 1 May 2015 and 31 December 2016, the Commissioner received 264 complaints about unsolicited direct marketing calls made by Safestyle. Of those complaints, 178 complaints were made to the TPS, with a further 86 made directly to the ICO. All of these complaints were made by individual subscribers who were registered with the Telephone Preference Service (‘TPS’), a register of numbers allocated to subscribers who have notified the ICO that they do not wish to receive unsolicited calls for direct marketing purposes, and/or who had not given their prior consent to Safestyle to receive direct marketing calls.
On 18 January 2016, the Commissioner wrote to Safestyle explaining that the ICO and the TPS had received complaints from individual subscribers in relation to unsolicited calls. Safestyle explained that it only canvassed existing customers and enquirers who had provided their number requesting a quotation to follow up on interest expressed. Safestyle said that it did not screen against the TPS as that would prevent it from contacting customers who are registered but who have nonetheless invited contact for quotation and sales purposes. Safestyle indicated it operates a suppression list and adds the telephone numbers of anybody asking not to be called again. Safestyle also advised that it was revisiting the way it conducted marketing in order to improve its practice and procedures.
Safestyle underwent three periods of monitoring to determine whether there was a suitable reduction in the number of complaints being recorded. However, despite Safestyle’s assurances of its continued commitment to preventing unwanted contact with its customers, the Commissioner continued to receive an unacceptable level of complaints.
ICO Finding
The Commissioner found that Safestyle made unsolicited direct marketing calls without the appropriate consent (Regulation 21 of PECR).
The ICO also found that Safestyle failed to screen the numbers against the TPS, maintain an accurate suppression list, and otherwise failed to take reasonable steps to prevent the contravention. Whilst the Commissioner was satisfied that Safestyle had not set out to deliberately contravene PECR, it knew or ought to have known that its direct marketing activities would lead to a contravention and was therefore negligent.
Harm
The ICO held that the contravention was ‘serious’ due to the number of complaints made, and the extended period over which the contraventions occurred. No financial loss was experienced by those affected, however they did experience a diversion of resources and time in having to deal with the unsolicited calls, and in having to report these to the TPS and the ICO.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
HCA International Ltd
23 February 2017
£200,000
DPA – 7th and 8th Principles
Factual background
HCA International Ltd (‘HCA’) owns private hospitals including the Lister Hospital in London. It provides a wide range of services to private patients, including IVF treatment.
Beginning in 2009, Lister Hospital sent unencrypted audio recordings of private consultations by email to a data processor in India for transcription. HCA was aware that the data processor used an unsecured FTP server to store the recordings. The server did not have an authentication process to restrict access to the transcripts.
On 8 April 2015, a patient informed the hospital that transcripts of consultations containing confidential and sensitive personal data could be accessed via an internet search engine.
ICO finding
The ICO found that HCA failed to take appropriate technical measures against unauthorised or unlawful processing of personal data in contravention of the seventh data protection principle. In particular:
  • HCA sent unencrypted recordings by email to the data processor in India;
  • HCA had no guarantee that the data processor would use a secure FTP server to store the recordings and then send completed transcripts to the hospital;
  • HCA had no guarantee that the data processor would erase the recordings after they had been transcribed;
  • HCA failed to monitor the data processor in relation to any security measures taken by it; and
  • HCA did not have a DPA compliant contract with the data processor in relation to the processing.
The contravention was ongoing from 2009 until HCA took remedial action following the security breach on 8 April 2015.
The ICO did not consider the contravention deliberate but HCA should have known or ought reasonably to have known that there was a risk that this contravention would occur and that it would be of a kind likely to cause substantial distress. The ICO found that HCA failed to take reasonable steps to prevent the contravention.
The ICO also found that the eighth data protection principle was contravened by HCA, in that data was transferred outside the EEA without an adequate level of protection.
Harm
The ICO was satisfied that the contravention was serious as the transcripts contained confidential and sensitive personal data. The ICO also had regard to the number of affected individuals and the possible consequences.
The ICO considered that the contravention would cause distress to patients and that such distress was likely to be substantial, having regard to the number of affected individuals and the nature of the personal data involved.
Aggravating Factors
No mention of aggravating factors
Mitigating Factors
  • HCA voluntarily reported the breach to the ICO.
  • HCA were fully co-operative with the ICO.
  • HCA have taken substantial remedial action.
  • There will be a significant impact on HCA’s reputation as a result of this security breach.
Hamilton Digital Solutions Limited
16 November 2017
£45,000
PECR – Regulation 22Factual BackgroundHamilton Digital Solutions Ltd (‘HDSL’) is a London based online technology and telecoms company.
Between 1 April 2016 and 19 September 2016, HDSL used a public electronic telecommunications service to transmit 156,250 unsolicited communications by e-mail to individual subscribers for the purposes of direct marketing.
HDSL used third-parties to send the marketing text messages, who would act as an ‘introducer’ of customers to HDSL. In response to correspondence from the ICO, HDSL indicated that they would carry out an “extensive due diligence exercise” with each new introducer, including a review of the permissions held; its ‘privacy policy’; consents; and data sources.
HDSL gave the ICO details of the consent relied upon for the direct marketing that had been provided by the ‘introducer’ which sent the messages.
ICO Finding
The ICO found that HDSL instigated the sending of 156,250 unsolicited direct marketing text messages without consent (Regulation 22 of PECR).
In particular, the ICO stated that organisations can generally only send marketing texts to individuals if that person has specifically consented to receiving them from the sender. The ICO also explained that particular care must be taken when relying on "indirect consent", and that it is not acceptable to rely on assurances given by third party suppliers without undertaking proper due diligence. The ICO found the evidence of consent relied upon by HDSL for the direct marketing that had been provided by the ‘introducer’ was insufficient for the purposes of Regulation 22 PECR.The ICO did not consider the contravention deliberate but stated that HDSL should have known or ought reasonably to have known that there was a risk that this contravention would occur. The ICO found that HDSL had failed to take reasonable steps to prevent the contravention.HarmThe ICO was satisfied that the contravention identified was ‘serious’, owing to the fact that between dates of 1 April 2016 and 19 September 2016, HDSL sent a total of 156,250 direct marketing text messages to subscribers without their consent. Between the periods of 1 April 2016 and 9 May 2016, this action resulted in 595 complaints.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Home Logic UK Ltd
15 August 2017
£50,000
PECR – Regulation 21
Factual Background
Home Logic UK Ltd (‘Home Logic’) is a provider of home energy saving solutions and products.
Between 1 April 2015 and 31 July 2016, Home Logic made 1,475,969 unsolicited direct marketing calls promoting its services to subscribers. During this period, 136 complaints were made to the TPS regarding these calls by Telephone Preference Service (‘TPS’) registered individuals. The TPS is a register of numbers allocated to subscribers who have notified the TPS that they do not wish to receive unsolicited calls for direct marketing purposes on those lines.
Home Logic licensed the data used to make the calls from third party data providers. These third parties assured Home Logic that the data subjects had ‘opted-in’ and/or were screened against the TPS. However, one third party provider made it clear in its contract with Home Logic that it was the purchaser's responsibility to conduct such screenings.
Home Logic informed the ICO that it did upload data to a dialler system for screening against the TPS. However, due to technical difficulties, the dialler system was unavailable for a period of 90 days during which time Home Logic continued to make unsolicited direct marketing calls without taking any other steps to screen against the TPS.
Home Logic was unable to provide evidence that it had consent to make calls to the subscribers who had complained to the TPS.
ICO Finding
The ICO held that Home Logic made unsolicited direct marketing calls to subscribers who had registered with the TPS without obtaining prior consent(Regulation 21 of PECR).
Although the ICO determined that Home Logic did not deliberately contravene Regulation 21 of PECR, it ought reasonably to have known that there was a risk that these contraventions would occur, particularly because:
  • Home Logic relied heavily on direct marketing due to the nature of its business;
  • the issue of unsolicited calls was widely publicised by the media as being a problem;
  • the dialler system used by Home Logic to screen against the TPS was unavailable for 90 days during which time Home Logic continued to make unsolicited calls without taking any steps to screen against the TPS; and
  • the ICO had published detailed guidance for companies carrying out marketing explaining the legal requirements under PECR.
The ICO further held that Home Logic did not take reasonable steps to prevent the contravention, which could have included the following:
  • asking its third party data providers for evidence that subscribers had consented to receiving calls; and
  • screening the data against the TPS itself, regardless of any assurances that might have been given by the third party data providers.
Harm
The ICO was satisfied that the contravention was 'serious' as there had been multiple breaches of Regulation 21 of PECR over a 15 month period, leading to a significant number of complaints being made. However, it did not appear that any individuals affected suffered financial damage.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Honda Motor Europe Limited t/a Honda (U.K.)
20 March 2017
£13,000
PECR – Regulation 22
Factual Background
Honda Motor Europe Limited (‘Honda’) is responsible for the sale of Honda products in the UK, including cars and motorbikes. It also coordinates Honda's operations in Europe.
Between 1 May 2016 and 22 August 2016 Honda sent a large number of e-mails to individuals entitled "would you like to hear from Honda?" in order to clarify marketing preferences. The e-mail was sent to those individuals on the database where no 'opt in' or 'opt out' information was held.
Honda explained to the ICO that it had sent the e-mail as a service email, rather than as a marketing e-mail.
Honda obtains personal data of individuals and their specific preferences for direct marketing purposes in a number of ways, including through authorised dealers who are expected to adhere to Honda's Data Management Policy and Guidelines. Due to a design flaw, some dealers had input data onto Honda's central customer database and had confirmed that an individual had agreed to direct marketing but had failed to complete the actual marketing preferences field as a yes/no completion of the field was not mandatory.
ICO Finding
The ICO found that between 1 May 2016 and 22 August 2016, Honda instigated the transmission of 289,093 unsolicited communications by e-mail to individual subscribers for the purposes of direct marketing without consent (Regulation 22 of PECR).
As the instigator of the e-mails, Honda was responsible for ensuring that sufficient consent had been acquired. The ICO was satisfied that Honda did not have the requisite consent.
The ICO also found Honda had failed to take reasonable steps to prevent the contraventions.
The Commissioner did not consider the contravention deliberate, however, Honda knew or ought to reasonably have known that there was a risk that these contraventions would occur.
Harm
The Commissioner was satisfied that the contravention was ‘serious’ because of the number of individuals affected.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
The International Fund for Animal Welfare
3 April 2017
£18,000
DPA – 1st Principle, 2nd Principle
(PECR – Regulation 22 also considered, but was not a basis for the monetary penalty)
Factual Background
The International Fund for Animal Welfare (‘IFAW’) is one of the largest animal welfare and conservation charities in the world.
Sharing personal data with third parties
The IFAW shared personal data as part of a Reciprocate Scheme. The Reciprocate Scheme was run by an external company and enabled participating charities to share or swap the personal data of donors or prospective donors. The IFAW participated in the Reciprocate Scheme and another similar scheme between 2011 and September 2015 inclusive. During this period, 4,948,633 records were disclosed, some of which may have been shared more than once.
Wealth screening
The IFAW also provided personal data to wealth screening companies. The personal data which IFAW provided to the wealth screening companies included supporters' names and addresses, as well as internal coding information related to the donation history of the relevant data subject. The IFAW submitted a total of 685, 956 records for wealth screening in 2012 and 2013, relating to 466,206 individual supporters.
Data-matching and tele-matching
The IFAW also used the services of an external company to undertake tele-matching on its behalf since at least 1995. Data-matching is the use of personal data to obtain and use other items of personal data which data subjects may have chosen not to provide to the data controller, and tele-marketing is a data-matching by which telephone numbers are obtained and used. The IFAW matched 220,286 telephone numbers to supporters for whom it had other personal data between 2006 and 2016. IFAW also used the services of an external company to match e-mail addresses to individual supporter records in 2012 and 2013. The IFAW matched 50,282 email addresses to the personal data of supporters, and proceeded to email all of them.
ICO Finding
The ICO was satisfied that the contraventions of the Data Protection Act 1998 (‘DPA’) were deliberate, in the sense that the actions of the IFAW were deliberate. While the IFAW may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so. The ICO also found that the IFAW failed to take reasonable steps to prevent the contraventions of the DPA from occurring.
Sharing personal data with third parties
The ICO found that IFAW unfairly processed individuals’ personal data because the terms of its privacy notice were unduly vague and/or ambiguous and did not provide data subjects with adequate information as to how their personal data would be shared via the schemes (DPA – 1st Principle). The ICO also found that the sharing of personal data via the schemes was incompatible with the purposes explained in IFAW’s privacy notices (DPA – 2nd Principle).
Wealth screening
The ICO found that the IFAW unfairly processed individuals’ personal data because using their data to perform wealth screening was not in the reasonable expectation of those individuals and they were not informed that IFAW would adopt these techniques (through the IFAW’s privacy policy or otherwise) (DPA – 1st Principle). The ICO also found that the purpose of wealth analysis was incompatible with the purposes for which the data were obtained (administrating the donation, and if the individual consented, for marketing purposes) (DPA – 2nd Principle).
Data-matching and tele-marketing
The ICO found that it was unfair for the IFAW to use the data for data-matching and/or tele-matching purposes without consent of the data subjects and that such activities were incompatible with the purposes explained in their privacy notices (DPA – 1st Principle, 2nd Principle).
The ICO also considered that by sending emails to persons who had not provided their specific consent to receiving direct marketing e-mails from IFAW, IFAW contravened Regulation 22 of PECR. This contravention was recorded by the ICO as an additional matter of concern but was not used as a basis for the MPN.
Harm
The ICO considered that the contraventions of the DPA were serious because of the length of time over which the contraventions took place, the number of data subjects whose rights were infringed and the data subjects were likely to have been affected by those contraventions in significant practical ways.
The ICO was satisfied that these contraventions were of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed as a result of the contravention;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional approaches from the IFAW; and
  • given the scale and duration of the contraventions, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have beenlikely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • IFAW had followed the unlawful practices described above over a period of several years.
  • IFAW's practices appear to have been driven by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • IFAW had contravened the fundamental rights of very large numbers of individuals to have their personal data processed in accordance with the DPA and Directive 95/46/EC.
  • The number of affected persons by the various breaches of the DPA is considerably higher than those which specifically form the contraventions in this Notice because of the time period when some of the contraventions of the DPA occurred (i.e. prior to the power to impose a monetary penalty).
  • By failing to adequately explain to data subjects how their personal data would be used, IFAW has deprived them of control and informed decision-making about their personal data to a significant extent.
  • IFAW's activities have exposed the relevant data subjects to substantially distressing and/or damaging consequences, including intrusions into their privacy due to increased direct marketing communications from IFAW and /or other charities. It is likely that many individuals will have been persuaded - by IFAW and/or other charities - to increase their financial support. Those financial consequences will to a significant extent have flowed from IFAW's unlawful data protection practices.
  • It is likely that IFAW has also contravened Regulation 22 of PECR.
Mitigating Factors
  • IFAW co-operated with the Commissioner's investigations.
  • IFAW is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • IFAW has taken remedial action.
  • IFAW's practices may to an extent have reflected commonplace – albeit mistaken and unlawful - approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
IT Protect Ltd
11 January 2017
£40,000
PECR – Regulation 21
Factual Background
IT Protect Ltd’s (‘IT Protect’) business involves making unsolicited marketing calls to elderly subscribers in order to sell a call blocking device to "stop" unwanted marketing calls.
Between 6 April 2016 and 16 May 2016, IT protect made 157 unsolicited marketing calls to subscribers who were registered with the Telephone Preference Service (‘TPS’). The TPS is a register of numbers allocated to subscribers who have notified the TPS that they do not wish to receive unsolicited calls for direct marketing purposes on those lines.
The ICO received 35 complaints about IT Protect from individual subscribers who were registered with the TPS. The TPS received 122 complaints about IT Protect and referred all of these to IT Protect and also notified the ICO. IT Protect did not respond to the TPS on 69 occasions.
IT Protect explained to the ICO that it had purchased opt-in data from a third party company, however it had not carried out any due diligence checks to ensure that they had given their consent to receive such calls from IT Protect.
ICO Finding
The ICO found that IT Protect did not have the appropriate consent to make unsolicited direct marketing calls to subscribers registered with the TPS (Regulation 21 of PECR).
The ICO did not consider the contravention deliberate, but stated that IT Protect should have known or ought reasonably to have known that there was a risk that this contravention would occur. The ICO found that IT Protect had failed to take reasonable steps to prevent the contravention.
Harm
The ICO was satisfied that the contravention was 'serious' due to there being multiple breaches, the duration of the contravention and the number of complaints received.
Individual subscribers complained that the calls were misleading as they gave the impression that they were calling on behalf of BT and some complainants allege that IT Protect preyed on the elderly.
The contravention was exacerbated by the fact that IT Protect was making unsolicited marketing calls to elderly subscribers to sell them a call blocking device to "stop" unwanted marketing calls.
Aggravating Factors
  • IT Protect may obtain a commercial advantage over its competitors by generating leads from unlawful marketing practices.
Mitigating Factors
  • There is a potential for damage to IT Protect’s reputation which may affect future business.
Keurboom Communications Ltd
3 May 2017
£400,000
PECR – Regulation 19
Factual Background
Keurboom Communications Ltd (‘Keurboom’) provides (among other things) telephony services including “voice broadcasting” to companies in order to generate leads so that they can maximise their potential sales.
Between 29 April 2015 and 7 June 2016, the ICO received 1,036 complaints via its online reporting tool. The essence of the complaints was that automated marketing calls had been received by subscribers, mainly in relation to road traffic accidents and PPI claims. Some of the complainants had also received repeat calls (sometimes on the same day) and at unsocial hours.
The calls allowed an option to press 5 if interested, or an option to press 9 to be removed from the list. The calls did not identify the sender and the option of being connected to a person or suppressing the number was not always effective. Some of the calls were also misleading because they gave the impression that the calls were urgent and related to a recent road traffic accident or an ongoing PPI claim.
ICO finding
The Commissioner found that Keurboom instigated automated marketing calls to subscribers without their prior consent (Regulation 19 of PECR).
Between 1 October 2014 and 31 March 2016, Keurboom sent or instigated 99,535,654 automated marketing calls to subscribers without their prior consent.
The ICO also found that Keurboom’s actions which constituted the contravention were deliberate actions (even if Keurboom did not actually intend thereby to contravene PECR).
Harm
The ICO was satisfied that the contravention identified was ‘serious’ because of the number of individuals affected and the extent of the contravention.
Aggravating Factors
  • Keurboom did not co-operate with the Commissioner's investigation.
  • Keurboom might obtain a commercial advantage over its competitors by generating leads from unlawful marketing practices.
Mitigating Factors
There were no mitigating features
LAD Media Limited
18 January 2017
£50,000 – reduced on appeal to £20,000
PECR – Regulation 22
Factual background
LAD Media Limited (‘LAD Media’) is a lead generation and data brokerage business operating in the financial services, debt management and consumer claims sector.
Between 6 January 2016 and 10 March 2016 LAD Media instigated the sending of 393,872 direct marketing text messages to individuals. It had purchased the data used to send the messages from a third party data supplier and the text messages had then been sent on LAD Media’s behalf by another third party. LAD Media provided examples of the opt-in statements which had been relied on to the ICO, which included (among others) the following:
“By agreeing to these terms and condition we may contact you about services or products offered by us or other companies in our group or approved by us, which we believe you may be interested in, or to carry out market research about our services or products or those of third parties. We may also pass information to other companies approved by us so that they may contact you about services or products, which they believe you may be interested in. Contact for these purposes may be by post, email, SMS or by other means as we may agree with you from time to time. This will override any registrations you may have with any preference services.”
During this period, 158 complaints were received by the GSMA's Spam Reporting Service or direct to the ICO, relating to the receipt of unsolicited direct marketing text messages sent on behalf of LAD Media. The GSMA’s Spam Reporting Service allows mobile users to report the receipt of unsolicited marketing text messages to the GSMA, who makes such complaints data available to the ICO.
ICO Finding
The ICO found that LAD Media did not have the appropriate consent to send unsolicited direct marketing text messages to individuals (Regulation 22 of PECR).
The ICO did not consider the contravention deliberate but stated that LAD Media should have known or ought reasonably to have known that there was a risk that this contravention would occur.
The ICO found that LAD Media had failed to take reasonable steps to prevent the contravention, stating that it is not acceptable to rely on assurances of indirect consent without undertaking proper due diligence.
Harm
The ICO was satisfied that the contravention was 'serious' due to the number of messages sent and number of complaints received.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Appeal
LAD Media appealed the ICO’s MPN and the Tribunal substituted the ICO’s MPN for an MPN on the same terms with the amount of the penalty amended to £20,000. The Tribunal found that there was a contravention of Regulation 22 of PECR as LAD Media did not have the necessary consents, the contravention was sufficiently serious and LAD Media knew or ought to have known the contravention would occur. However, the amount of the penalty was too high when considering the size of the company and the low levels of profit generated from the activity. Notably, the Tribunal set out some general factors which may be used to determine the amount of a monetary penalty:
  • The circumstances of the contravention;
  • The seriousness of that contravention, as assessed by the harm, either caused or likely to be caused, as a result; whether the contravention was deliberate or negligent; and the culpability of the person or organisation concerned, including an assessment of any steps taken to avoid the contravention.
  • Whether the recipient of the MPN is an individual or an organisation, including its size and sector;
  • The financial circumstances of the recipient of the MPN, including the impact of any monetary penalty;
  • Any steps taken to avoid further contravention(s); and
  • Any redress offered to those affected.
Laura Anderson Limited t/a Virgo Home Improvements
31 July 2017
£80,000
PECR – Regulation 21
Factual Background
Virgo Home Improvements (‘VHI’) sells home improvement products and services to residential homes in England.
Between 6 April 2015 and 22 November 2016, the ICO received 440 complaints about separate unsolicited direct marketing calls made by VHI. VHI had purchased 500,000 telephone numbers from a third party list supplier between 2010 and 2014, and following this used their own data bases and a further purchase of 400,000 numbers to fuel its telemarketing activities. There were no contracts in place with the data suppliers, but Virgo say they were assured by the relevant companies that data was Telephone Preference Service (‘TPS’) screened prior to being provided to them. The TPS is a register of numbers allocated to subscribers who have notified the TPS that they do not wish to receive unsolicited calls for direct marketing purposes on those lines.
Virgo does not hold its own TPS license and does not screen against the TPS register. Virgo indicated that they operate an internal suppression list and adds to it the telephone numbers of anybody asking not to be called again. Virgo also advised that prior to 2010, all data had been recorded and stored in a paper format which has now been destroyed following its transfer to an electronic format. Virgo was therefore unable to provide evidence of consent or that it had undertaken the appropriate due diligence with its list providers.
ICO Finding
The ICO found that VHI had made unsolicited calls for direct marketing purposes without the appropriate consent (Regulation 21 of PECR). The ICO considers that VHI had deliberately contravened Regulation 21 of PECR because VHI did not screen against the TPS, nor did it keep clear records of which individuals had consented to be called.
Harm
The ICO was satisfied that the contravention was ‘serious’ due to the large number of data subjects affected, and the duration of the contravention (spanning over a year). Furthermore, the ICO recognised that these calls were likely to have caused distress to some individuals, as many of the individuals had received repeated unsolicited calls and their opt-out requests were ignored. The ICO also highlighted the targeting of some vulnerable individuals, including the elderly, and anecdotally referenced instances of VHI repeatedly contacting grieving families.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
London Borough of Islington
7 August 2017
£70,000
DPA – 7th Principle
Factual Background
In 2012, Islington's internal application team developed 'TicketViewer' on behalf of Islington Parking Services (‘the application’). It was hosted separately to Islington's other systems. A user could log onto the application by entering the vehicle registration number (‘VRN’) and a parking ticket number to see a CCTV image or video of their alleged contravention or offence. If a user still wanted to appeal a parking ticket, they could send supporting evidence to Islington Parking Services by email or post. This included their name and address together with details of any mitigating circumstances such as health issues, disabilities and financial details. The back office processing centre scanned all of this information (including the parking ticket and the CCTV image or video that showed the VRN) onto the user's ticket attachment folder.
On 25 October 2015, Islington was informed by a user that the ticket attachment folders could be accessed by manipulating the URL in the user's browser. At that time, the ticket attachment folders contained personal data relating to approximately 89,000 users, including sensitive personal data and financial details. On 16 and 25 October 2015, external testing discovered that a total of 119 documents had been accessed a total of 235 times from 36 unique IP addresses affecting 71 individuals.
ICO finding
The ICO found that Islington failed to take appropriate technical measures against the unauthorised and unlawful processing of personal data (DPA — 7th Principle). The Commissioner did not consider the contravention to be deliberate, however, Islington ought reasonably to have known that there was a risk that that unauthorised or unlawful access would occur unless it ensured that the personal data held in the ticket attachment folders was appropriately protected.
The ICO also found that Islington failed to takes reasonable steps to prevent the contravention, such as ensuring that Islington’s IT security team tested the application prior to going live, and regular testing subsequently.
Harm
The Commissioner is satisfied that the contravention was ‘serious’ due to the number of data subjects, the nature of the personal data that was held in some of the ticket attachment folders and the potential consequences. Further, the Commissioner considered that the contravention was of a kind likely to cause distress to the users if they knew that their personal data had been accessed by unauthorised individuals. The Commissioner also considers that such distress was likely to be substantial, having regard to the number of users and the nature of the data that was held in the ticket attachment folders.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
  • Islington referred this incident to the Commissioner, immediately took the application offline and was co-operative during the Commissioner's investigation.
  • The affected individuals were notified by Islington.
  • The Commissioner is not aware of the affected individuals actually suffering any damage or distress in this case.
  • A monetary penalty may have a significant impact on Islington's reputation, and to an extent, its resources.
  • This incident has been publicised on social media and in the local press.
Macmillan Cancer Support
3 April 2017
£14,000
DPA – 1st Principle, 2nd Principle
Factual Background
Macmillan Cancer Support (‘Macmillan’) is one of the largest British charities and provides specialist health care, information and financial support to people affected by cancer.
Wealth screening
Macmillan used the services of wealth screening companies to analyse the financial status of its supporters in order to identify wealthy or high value individuals. The personal data which Macmillan provided to the wealth screening companies included supporters' names and addresses and information relating to their donation history. The wealth screening companies then analysed the data in order to identify wealthy or high value individuals amongst Macmillan's donors. Macmillan confirmed that it had undertaken such activity in respect of donors on its database on two occasions, in 2009 and 2014. In 2014 details of 2,188,508 of its supporters had been processed for the purposes of wealth analysis.
Tele-matching
Macmillan also used the services of an external company to undertake tele-matching on its behalf since 2009. The ICO understood that, while Macmillan does not hold records of the precise number of data subjects involved, it is likely to be several hundred thousand.
ICO Finding
The ICO was satisfied that these contraventions were deliberate, in the sense that the actions of Macmillan were deliberate. Alternatively, Macmillan ought reasonably to have known that there was a risk that the contraventions would occur, and that they would be of a kind likely to cause substantial damage or distress.
Wealth screening
The ICO found that Macmillan unfairly processed individuals’ personal data because using their data to perform wealth screening was not in the reasonable expectation of those individuals and they were not informed that NSPCC would adopt these techniques (through the Macmillan’s privacy policy or otherwise) (DPA – 1st Principle). The ICO also found that the purpose of wealth analysis was incompatible with the purposes for which the data were obtained (administrating the donation, and if the individual consented, for marketing purposes) (DPA – 2nd Principle).
Tele-matching
The ICO also found that it was unfair for Macmillan to use the data for data-matching and/or tele-matching purposes without consent of the data subjects and that such activities were incompatible with the purposes explained in their privacy notices (DPA – 1st Principle, 2nd Principle).
Harm
The ICO considered that the contraventions were serious because of the length of time over which the contraventions took place, the number of data subjects whose rights were infringed and the data subjects were likely to have been affected by those contraventions in significant practical ways.
The ICO was satisfied that these contraventions were of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed as a result of the contravention;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional approaches from Macmillan; and
  • given the scale and duration of the contraventions, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have beenlikely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • Macmillan followed the unlawful practices over a period of several years.
  • Macmillan's practices appeared to have been driven by financial gain. Its charitable status was not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • Macmillan contravened the fundamental rights of very large numbers of individuals to have their personal data processed in accordance with the Data Protection Act 1998 and Directive 95/46/EC.
  • By failing adequately to explain to data subjects how their personal data would be used, Macmillan has deprived them of control and informed decision-making about their personal data to significant extent.
  • Macmillan's activities have exposed the relevant data subjects to substantially distressing and/or damaging consequences.
Mitigating Factors
  • Macmillan co-operated with the ICO's investigations.
  • Macmillan is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • Macmillan's practices may to an extent have reflected commonplace - albeit mistaken and unlawful - approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
Monevo Limited
13 April 2017
£40,000
PECR – Regulation 22
Factual Background
Monevo Limited (Monevo) is a financial brokerage company which offers to find lenders and financial service providers for applicants via an online service. Monevo engaged a third party to carry out a text marketing campaign on its behalf which directed recipients to a web link, which in turn redirected to the website of ‘Purple Payday’, a trading name of Monevo. 353,740 such text messages were sent.
44,172 of these text messages were sent using data obtained from three competition or money saving websites. The privacy notices on those websites were generic and unspecific and none indicated that the data would be used for sending direct marketing text messages by or on behalf of the company.
Between the dates of 1 April 2016 and 28 June 2016 GSMA’s Spam Reporting Service received 130 complaints in relation to the text messages sent on behalf of Monevo.
ICO Finding
The ICO found that in contracting with the affiliate company to send the direct marketing text messages on its behalf, Monevo instigated the sending of the text messages, regardless of whether or not the text messages had been in the form agreed.
As the instigator, it was Monevo’s responsibility to ensure that the necessary consent had been gained. The ICO was satisfied that Monevo did not have the consent of the 44,172 subscribers to whom it instigated the sending of unsolicited direct marketing messages (Regulation 22 of PECR).
In particular, Monevo:
  • failed to take reasonable steps to prevent the contraventions; and
  • did not carry out any, or any sufficient, due diligence to satisfy themselves that the third party affiliate had obtained the data it is using fairly and lawfully, and that they have the necessary consent.
The Commissioner did not consider this contravention deliberate, but the Commissioner was satisfied that Monevo knew or ought reasonably to have known that there was a risk that these contraventions would occur.
Harm
The ICO was satisfied that the contravention was ‘serious’ owing to the number of individuals affected and the number of complaints received.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Moneysupermarket.com Ltd
17 July 2017
£80,000
PECR – Regulation 22
Factual Background
Moneysupermarket.com Ltd (‘Moneysupermarket’) is an online price comparison service.
In December 2016, the company sent an email to a consumer advising them that the terms and conditions of the service had been updated. The individual complained to the ICO, stating that they had previously opted out of Moneysupermarket's marketing emails.
The ICO informed Moneysupermarket that organisations cannot email individuals to consent to future marketing. Upon discussion with the ICO, Moneysupermarket confirmed that all of the customers sent the terms and conditions update email had previously opted out of receiving direct marketing emails. Further, Moneysupermarket was unable to evidence that any individuals contacted had subsequently consented to this marketing.
ICO Finding
The ICO found that Moneysupermarket knowingly instigated the transmission of 6,788,496 unsolicited marketing communications without the appropriate consent (Regulation 22 of PECR).
The ICO also found that Moneysupermarket failed to take reasonable steps to prevent the contraventions in this case. The ICO further considers that these actions were deliberate, as Moneysupermarket was aware that the emails were being sent, and that these individuals had not consented to the direct marketing.
Harm
The ICO was satisfied that the contravention was ‘serious’ due to the number of marketing emails sent without consent, which totalled 6,788,496 emails.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Munee Hut LLP
10 March 2017
£20,000
PECR – Regulation 22
Factual Background
Munee Hut LLP (‘Munee Hut’) is a credit lending and brokerage business which markets its services though affiliates which send marketing text messages directing recipients to its website. Between 1 May 2015 and 22 March 2016, approximately 64,000 unsolicited direct marketing text messages were sent on the company's behalf by its affiliate, a company based in Belize. During this period, 885 complaints were made to GSMA's Spam Reporting Service. The GSMA’s Spam Reporting Service allows mobile users to report the receipt of unsolicited marketing text messages to the GSMA, who makes such complaints data available to the ICO.
The data had been obtained from a number of different websites (loan companies and a prize draw website) which had generic and unspecific privacy notices which did not indicate that the data would be used for sending direct marketing text messages by or on behalf of the company.
ICO Finding
The ICO found that between 1 May 2015 and 22 March 2016, Munee Hut instigated the transmission of approximately 64,000 unsolicited direct marketing messages to individual subscribers without the requisite consent (Regulation 22 of PECR).
As the instigator of the text messages, it was the responsibility of the company to ensure that sufficient consent had been acquired. The ICO was satisfied that the company did not have the consent of the subscribers.
The ICO stressed that it was not acceptable to rely on assurances of indirect consent without undertaking proper due diligence. It found that a reputable list broker should provide full details of individual’s consent to be contacted. If a broker could not provide such information, the buyer should not use the list. Munee Hut relied on contractual assurances, but did not carry out a proper review of the privacy notices of the websites of which the data had been obtained.
The ICO did not consider the contravention deliberate, but Munee Hut should have known or ought reasonably to have known that there was a risk that these contraventions would occur.
Harm
The ICO was satisfied that the contravention was 'serious' due to the fact that 64,000 messages were sent and 885 complaints received.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
MyHome Installations Limited
19 June 2017
£50,000
PECR – Regulation 21
Factual background
MyHome Installations Limited (the ‘Company’) provides home security and electrical installation products and services to members of the public.
Between 6 April 2015 and 9 September 2016, the ICO received 169 complaints about unsolicited direct marketing calls made by the Company. Of those, 138 complaints were made to the Telephone Preference Service (‘TPS’) (a register of numbers allocated to subscribers who have notified the ICO that they do not wish to receive unsolicited calls for direct marketing purposes), with a further 31 made direct to the ICO. All of these complaints were made by individual subscribers who were registered with the TPS.
The Company had purchased data from third party companies for the purpose of marketing, and relied on their data providers to deliver their promise of high quality, TPS cleansed data. The Company was unable to provide consent for the complaints made, in response to the ICO’s enquiries, as the marketing manager in place at the time had left the business. This previous manager had historically bought data and added it to the company’s call lists without any way of referencing its source.
ICO finding The ICO found between 6 April 2015 and 9 September 2016, the Company used a public telecommunications service for the purposes of making 169 unsolicited calls for direct marketing purposes to subscribers where the number allocated to the subscriber in respect of the called line was a number registered with the TSP, contrary to regulation 21(1)(b) of PECR.
The ICO also found that the 169 complaints were made by subscribers who had registered with the TPS at least 28 days prior to receiving the calls and they had not given their prior consent to the Company to receive calls.
The ICO did not consider the contravention deliberate. However, because the Company knew that people were complaining about calls they were receiving, the ICO considered that it ought to have known the risk of contravening PECR. The ICO also found that the Company failed to take reasonable steps to prevent the contraventions.
Harm
The ICO considered that these contraventions were ‘serious’ because there had been multiple breaches of regulation 21 by the Company arising from its activities over an 18 month period, which led to a number of complaints about unsolicited direct marketing calls being made to the TPS and the ICO. Also, it is reasonable to suppose that considerably more calls were made by the Company because those who went to the trouble of complaining are likely to represent only a proportion of those who actually received calls.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
The National Society for the Prevention of Cruelty to Children
3 April 2017
£12,000
DPA – 1st Principle, 2nd Principle
(PECR – Regulation 22 also considered, but was not a basis for the monetary penalty)
Factual Background
The National Society for the Prevention of Cruelty to Children (‘NSPCC’) is a charity campaigning and working in child protection in the , the and the Isle of Man.Collection and use of data
From June 2014 until August 2015, the NSPCC used a standard form (the ‘June 2014 Form’) when collecting the personal data of individuals. The June 2014 Form did not provide any privacyinformation about the use of the personal data collected for live telephone or mail marketing. In each case, some time after the collection of the data, the NSPCC sent the individuals a letter which stated that their data would be used for marketing.
NSPCC collected personal data from 22,608 individuals using the June 2014 Form. Of these:
  • 22,354 individuals were sent a total of 144,317 marketing mailings since June 2014;
  • the personal data of 20,370 individuals were being used for mail marketing as of November 2016, with four complaints having been received; and
  • 11,360 individuals received a total of around 22,720 live telephone marketing calls up to November 2016. 2,540 of the telephone numbers called were registered with the Telephone Preference Service (‘TPS’), and 3,527 marketing calls were made to those numbers.
The TPS is a register of numbers allocated to subscribers who have notified the TPS that they do not wish to receive unsolicited calls for direct marketing purposes on those lines.
Data-matching and tele-matching
The NSPCC used the services of external companies to undertake data-matching and tele-matching on its behalf since at least 2010. Data-matching is the use of personal data to obtain and use other items of personal data which data subjects may have chosen not to provide to the data controller, and tele-marketing is a data-matching by which telephone numbers are obtained and used. From 6 April 2010 until May 2016 the NSPCC tele-matched 246,751 individuals' records in order to obtain their telephone numbers and make marketing calls to them. 46,415 telephone numbers were on the TPS, but the NSPCC did not screen the numbers against the TPS. From May 2016 onwards the NSPCC tele-matched numbers for data accuracy purposes. The NSPCC also used the services of an external company to match email addresses to individual supporter records. In November 2014 the NSPCC data-matched 115,741 individuals' email addresses to the personal data of supporters.
Wealth screening
The NSPCC used the services of a wealth screening company to market specific events to a select number of appropriate individuals. The personal data which the NSPCC provided to the wealth screening company included supporters' names and addresses and information relating to their donation history.
The wealth screening company appended 3,217 records, of the 2,105,145 screened, with a specific “millionaire” wealth flag. In April 2015 the NSPCC contacted 493 of these 3,217 individuals across two fundraising communications specifically on the basis of that wealth flag. The NSPCC also used the services of a wealth screening company to screen 5,870,135 supporter records held in data warehouses, although these included duplicate supporter records, as the same supporter may have been included on multiple databases. It appended 1,862 of these records with a wealth flag, and selected 70 of these for a regional legacy event.‘You Can’ Direct Response Television campaign In June 2014 the NSPCC began its 'You Can' Direct Response Television (‘DRTV’) campaign. The campaign ended in November 2015. Individuals who made a donation by text received two separatebounce-back text messages. As of June 2016, 73,921 individuals had made a donation via SMS text to the NPSCC as part of this campaign, and received two bounce-back text messages in response:
“Thank you for supporting the NSPCC. We’d like to contact you to tell you more about our work. For terms visit http://www.nspcc....”
“Text OUT to 70744 to stop further contact”
The Commissioner considers that these bounce back text messages were sent for the purposes of direct marketing since they informed supporters of the NSPCC's intention to make further marketing approaches in the future. Further, individuals were automatically opted-in to receive further marketing communications.
ICO Finding
The ICO was satisfied that the contraventions of the Data Protection Act 1998 (‘DPA’) were deliberate, in the sense that the actions of the NSPCC were deliberate. While the NSPCC may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so. The ICO also found that the NSPCC failed to take reasonable steps to prevent the contraventions of the DPA from occurring.
Collection and use of data
The ICO found that the NSPCC’s system of processing personal data was unfair because it did not inform individuals that their data would be processed for the purposes of live telephone or mail marketing at the time the data was collected and/or before the intended processing occurred (DPA – 1st Principle, 2nd Principle).
Data-matching and tele-matching
The ICO also found that it was unfair for the NSPCC to use the data for data-matching and/or tele-matching purposes without consent of the data subjects and that such activities were incompatible with the purposes explained in their privacy notices (DPA – 1st Principle, 2nd Principle).
Wealth screening
The ICO found that the NSPCC unfairly processed individuals’ personal data because using their data to perform wealth screening was not in the reasonable expectation of those individuals and they were not informed that NSPCC would adopt these techniques (through the NSPCC’s privacy policy or otherwise) (DPA – 1st Principle). The ICO also found that the purpose of wealth analysis was incompatible with the purposes for which the data were obtained (administrating the donation, and if the individual consented, for marketing purposes) (DPA – 2nd Principle).
‘You Can’ Direct Response Television campaign
The ICO considered that the bounce back text messages were sent for the purposes of direct marketing because they informed supporters of the NSPCC’s intention to make further marketing approaching in the future and the NSPCC had failed to receive the necessary consent for such direct marketing (PECR – Regulation 22). This contravention was recorded by the ICO as an additional matter of concern but was not used as a basis for the MPN.
Harm
The ICO considered that the contraventions of the DPA were serious because of the length of time over which the contraventions took place, the number of data subjects whose rights were infringed and the individuals’ were effectively stripped of control over their own personal data (where the NSPCC used the June 2014 Form) or the data subjects were likely to have been affected by those contraventions in significant practical ways (where data-matching and wealth screening took place).
The ICO was satisfied that these contraventions were of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed as a result of the contravention;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional approaches from the NSPCC; and
  • given the scale and duration of the contraventions, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have beenlikely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • The NSPCC had followed the unlawful practices described above over a period of several years and on a continuing basis.
  • The NSPCC's practices appear to have been driven at least in part by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • The NSPCC had contravened the fundamental rights of a very large number of individuals not to be subject to unlawful direct telephone marketing and to have their personal data processed in accordance with the DPA and Directive 95/46/EC.
  • By failing adequately to explain to data subjects how their personal data would be used, the NSPCC had deprived them of control and informed decision-making about their personal data to a significant extent.
  • The NSPCC's activities as described above have exposed the relevant data subjects to substantially distressing and/or damaging consequences, including intrusions into their privacy due to unsolicited direct marketing communications. It is likely that many individuals will have been persuaded by the NSPCC to increase their financial support. Those financial consequences will to a significant extent have flowed from the NSPCC's unlawful practices described above.
  • It is likely that the NSPCC has also contravened Regulation 22 of PECR.
Mitigating Factors
  • The NSPCC co-operated with the Commissioner's investigations.
  • The NSPCC is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • The NSPCC has taken remedial action.
  • The NSPCC's practices may to an extent have reflected commonplace -albeit mistaken and unlawful - approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
Norfolk County Council
15 March 2017
£60,000
DPA – 7th Principle
Factual Background
On 14 April 2014, a third party collected some redundant furniture from the Council as part of an office move. The furniture included a number of filing cabinets used by the children’s social work team.
On 18 April 2014, a member of the public bought one of the filing cabinets from a second hand furniture shop. The filing cabinet was delivered to their home address and was found to contain case files, including sensitive information relating to (among others) seven children.
The Council did not keep a record of how many pieces of furniture were collected by the third party and it was not clear which team was responsible for ensuring that the furniture was empty prior to disposal.
ICO Finding
The ICO found that the Council did not have in place appropriate organisational measures for ensuring that such an incident would not occur, i.e. for ensuring that the office furniture was empty prior to disposal (DPA – 7th Principle).
In particular, the Council did not have adequate written procedure governing how office furniture disposal should be managed.
The ICO did not consider the contravention deliberate, however, the Council ought reasonably to have known that there was a risk that this contravention would occur unless it ensured the office furniture disposal process was governed by an adequate written procedure.
Harm
The ICO was satisfied that the contravention was ‘serious’ due to the highly sensitive nature of some of the personal data that was left in the furniture and the potential consequences.
The ICO also considered that the contravention was of a kind likely to cause distress to the affected individuals because the personal data could be further disseminated or misused and that the damage or distress was likely to be substantial having regard to the number of affected individuals and the highly sensitive nature of some of the personal data held in the files.
Aggravating Factors
  • Some of the office furniture is still unaccounted for.
Mitigating Factors
  • The information in the filing cabinet was recovered from the member of the public after eight days, as soon as the Council was notified.
  • The Council has taken remedial action.
  • The Council referred this incident to the ICO and was co-operative during the investigation.
  • A monetary penalty may have a significant impact on the Council’s reputation and (to some extent) its resources.
Nottinghamshire County Council
24 August 2017
£70,000
DPA – 7th Principle
Factual Background
In July 2011, the Council’s digital team launched its ‘Home Care Allocation System’ (‘HCAS’). Third party home care providers could access HCAS to confirm that they had capacity to support a particular service user. The home care providers were each sent a link to HCAS via e-mail. There were no access controls on HCAS, such as the use of a username or password.
On 14 June 2016, a member of the public informed Nottinghamshire that HCAS could also be accessed via an internet search engine. They were concerned that, “Should someone who would wish to prey on a vulnerable person…it would not be difficult for them to attend one of the streets listed, find where the carers attend and subsequently consider attempting a burglary or similar knowing the service user is very likely to be vulnerable or elderly.”
At that time, HCAS contained a directory of 81 service users including their gender, addresses (to the extent required by each home care provider) and post codes; personal care needs and care package requirements such as the number of home visits per day and whether the service user was currently in hospital. This personal data would allow a motivated individual to identify a service user.
ICO Finding
The ICO found that the Council did not have appropriate technical and organisational measures in place for ensuring so far as possible that such an incident would not occur (DPA – 7th Principle). In particular, the ICO found that HCAS did not have in place an authentication process which identified a user before allowing them access to the system, such as a username or password.
The ICO did not consider the contravention deliberate. However, the Council should have known or ought reasonably to have known there was a risk that unauthorised or unlawful access would occur unless it ensured the personal data held on HCAS was appropriately protected. The ICO found that the Council had failed to take reasonable steps to prevent the contravention.
Harm
The ICO was satisfied that the contravention identified was ‘serious’ due to the number of data subjects, the nature of the personal data held on HCAS and the potential consequences of unauthorised or unlawful access.
The ICO held that the contravention was likely to cause distress to the service users if they knew that their personal data had been accessed by unauthorised individuals over a five year period, and that such distress was likely to be substantial because the nature of data, number of service users, and the vulnerable nature of service users. The ICO also found that service users would be distressed simply through having justifiable concerns that their information has been further disseminated, even if those concerns do not actually materialise.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
  • HCAS was taken offline on 14 June 2016.
  • Nottinghamshire reported this incident to the Commissioner and was co-operative during her investigation.
  • A monetary penalty might have a significant impact on the Nottinghamshire’s reputation, and to an extent, its resources.
Onecom Limited
11 May 2017
£100,000
PECR – Regulation 22
Factual Background
Onecom confirmed that it had sent 3,284,908 text messages between 1 October 2015 and 31 March 2016. Of these, 2,796,075 had been received by the recipient. The data used by Onecom for sending the marketing text messages had been obtained from various sources: (i) data acquired through the acquisition of other businesses; (ii) data obtained by Onecom from its own customers; and (iii) data obtained from third party data suppliers.
Between 26 October 2015 and 2 June 2016, 1050 complaints were made to GSMA’s Spam Reporting Service, or directly to the ICO, about the receipt of unsolicited direct marketing text messages relating to mobile phone upgrades. The GSMA’s Spam Reporting Service allows mobile users to report the receipt of unsolicited marketing text messages to the GSMA, who makes such complaints data available to the ICO. 944 of such messages did not identify Onecom as the sender, though the ICO was satisfied that all 1050 text messages complained about were sent by Onecom. Onecom was unable to provide evidence that it had consent to send those text messages or that it could rely on the ‘soft opt-in’.
ICO finding
The ICO found that Onecom sent direct marketing messages without the appropriate consent (Regulation 22 of PECR).
The Commissioner did not consider the contravention deliberate but Onecom should have known or ought to reasonably to have known that there was a risk that this contravention would occur. The ICO found that Onecom had failed to take reasonable steps to prevent the contravention.
Harm
The Commissioner was satisfied that the contravention identified was ‘serious’ because of the number of individuals affected by the contravention.
Aggravating Factors
  • Onecom contravened regulation 23 of PECR in that it did not (at the very least in 944 of the 1050 text messages complained of) identify the person on whose behalf the messages were sent.
Mitigating Factors
  • Onecom has stopped sending marketing texts and taken a number of remedial steps to ensure future compliance.
Oxfam
3 April 2017
£6,000
DPA – 1st Principle, 2nd Principle
(PECR – Regulation 22 also considered, but was not a basis for the monetary penalty)
Factual Background
Oxfam is an international confederation of focused on the alleviation of global .
Tele-matching
During the period 2003 until August 2015, Oxfam used the services of external companies to undertake tele-matching on its behalf. Tele-matching is data-matching by which telephone numbers which data subjects may have chosen not to provide are obtained and used.
Since 2011, Oxfam tele-matched a total of 267,521 records of donors. Oxfam used the telephone numbers obtained through tele-matching to make live marketing calls. Oxfam did not inform individuals that their data would be processed in this way.
Text message donation campaigns
Between August 2013 and July 2015, Oxfam undertook two campaigns that allowed individuals to donate to Oxfam via SMS text. Individuals who donated to the campaign received a bounce back text message and were automatically opted-in to receive further text and telephone marketing. In addition, 40,504 individuals received between one to four further marketing text messages as part of further campaigns in the following 13 months.
ICO Finding
Tele-matching
The ICO found that it was unfair for Oxfam to use the data for tele-matching purposes without consent of the data subjects and that such activities were incompatible with the purposes explained in their privacy notices (DPA – 1st Principle, 2nd Principle).
The ICO was satisfied that the contravention of the Data Protection Act 1998 (‘DPA’) was deliberate, in the sense that the actions of Oxfam were deliberate. While Oxfam may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so. The ICO also found that Oxfam failed to take reasonable steps to prevent the contraventions of the DPA from occurring.
Text message donation campaigns
The ICO considers that bounce back text messages as part of two separate Oxfam campaigns were sent for the purposes of direct marketing since they informed supporters of Oxfam's intention to make further marketing approaches in the future. The Commissioner also found that Oxfam did not have the requisite consent to send direct marketing text messages to individuals who made donations via SMS text messages. This was considered to be a likely contravention of Regulation 22 of PECR. This contravention was recorded by the ICO as an additional matter of concern but was not used as a basis for the MPN.
Harm
The ICO considered that the contravention of the DPA was serious because of the length of time over which the contravention took place, the number of data subjects whose rights were infringed and the data subjects were likely to have been affected by this contravention in significant practical ways.
The ICO was satisfied that the contravention was of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed as a result of the contravention;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional approaches from Oxfam; and
  • given the scale and duration of the contravention, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have beenlikely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • Oxfam has followed the unlawful practice described above over a period of several years and on a continuing basis.
  • Oxfam's practice appear to have been driven at least in part by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • Oxfam has contravened the fundamental rights of very large numbers of individuals not to be subject to unlawful direct telephone marketing and to have their personal data processed in accordance with the DPA and Directive 95/46/EC.
  • Oxfam's activities as described above have exposed the relevant data subjects to substantially distressing and/or damaging consequences, including intrusions into their privacy due to unsolicited direct marketing communications. It is likely that many individuals will have been persuaded by Oxfam to increase their financial support. Those financial consequences will to a significant extent have flowed from Oxfam's unlawful practice described above.
  • It is likely that Oxfam has also contravened Regulation 22 of PECR.
Mitigating Factors
  • Oxfam co-operated with the Commissioner's investigations.
  • Oxfam is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • Oxfam has changed its television advertisements in light of the Commissioner's investigation.
  • Oxfam's practices may to an extent have reflected commonplace - albeit mistaken and unlawful - approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
PRS Media Limited (trading as Purus Digital)
27 March 2017
£140,000
PECR – Regulation 22
Factual Background
PRS Media Limited (‘PRS’) is an advertising marketing company. It markets services using different forms of media, including email and text message, directing recipients to websites.
Between 1 January 2016 and 17 May 2016, the GSMA’s Spam Reporting Service had received 2,628 complaints about the receipt of unsolicited direct marketing text messages sent on behalf of PRS. The GSMA’s Spam Reporting Service allows mobile users to report the receipt of unsolicited marketing text messages to the GSMA, who makes such complaints data available to the ICO.
Following the receipt of an Information Notice from the ICO, PRS explained that it had sourced the personal data for the text messaging from a competition and a prize draw website it owned. A condition of the entry to the competitions included a compulsory agreement to marketing at the point of sign-up. Although reference was made to this in both its terms and conditions and privacy policy, both were generic and unspecific. At no point was an individual able to express a preference on how they may be contacted.
ICO Finding
The ICO found that PRS did not have the consent of the 4,357,453 subscribers to whom it sent unsolicited direct marketing text messages (PECR – Regulation 22).
Harm
The ICO was satisfied that the contravention was serious due to the number of direct marketing text messages that were sent to subscribers without their consent, and the number of subsequent complaints made.
Aggravating Factors
  • PRS had failed on two separate occasions to answer requests for information from the ICO and it required the service of an Information Notice to compel a response.
  • The response received from PRS to the Information Notice provided unsatisfactory answers to the questions asked and figures provided were at odds with the Commissioners own findings.
  • PRS did not identify the person who was sending or instigating direct marketing text messages.
Mitigating Factors
There were no mitigating features
Providence Personal Credit Limited
11 July 2017
£80,000
PECR – Regulation 22
Factual Background
Between 6 April 2015 and 13 October 2015, 285 complaints about the receipt of unsolicited direct marketing text messages relating to online loans were made to GSMA’s Spam Reporting Service, which shares complaints data with the ICO. The direct marketing text messages were sent by third party affiliates on behalf of Providence Personal Credit Limited (‘PPC’).
Under the affiliate agreement, PPC agreed to provide text promoting its products and the affiliates would send the text as direct marketing text messages. Affiliates received a fee for each individual who subsequently entered into a credit agreement with PPC having clicked on the web link contained in the text message.
Between 6 April 2015 and 31 October 2015, one of the affiliate companies, Money Gap Group Ltd, sent 868,393 unsolicited direct marketing text messages promoting PPC. In the same period another affiliate company, Sandhurst Associates Ltd, sent 130,664 unsolicited direct marketing text messages promoting PPC.
The individuals to whom the text messages were sent had not consented to the receipt of such direct marketing by or on behalf of PPC. The privacy notices used by the affiliates did not name PPC or any of its trading names, nor did they indicate that the data would be used for sending direct marketing text messages on behalf of PPC.
ICO Finding
The ICO found that PPC instigated the sending of direct marketing messages without the appropriate consent (Regulation 22 of PECR).
The Commissioner also found that PPC failed to take reasonable steps to prevent the contravention because as the instigator of the direct marketing text messages, it was the responsibility of PPC to ensure valid consent to send direct marketing text messages had been acquired. Reasonable steps in these circumstances could have included reviewing the privacy notices and consent wording relied on by the affiliate companies, ensuring that they were sufficiently specific to amount to valid consent for the sending of direct marketing text messages on behalf of PPC.
The Commissioner did not consider PPC’s contravention of regulation 22 of PECR deliberate, however, PPC knew or ought reasonably to have known that there was a risk that these contraventions would occur and was therefore negligent.
Harm
The Commissioner was satisfied that the contravention was ‘serious’ because PPC instigated the sending of at least 999,057 direct marketing text messages to subscribers without their consent.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Road Accident Consult Ltd t/a Media Tactics
3 March 2017
£270,000
PECR – Regulations 19 & 24
Factual Background
Media Tactics generates leads in relation to individuals making a claim for a PPI refund.
Between 24 July 2014 and 9 June 2015 the ICO received 182 complaints about the receipt of unsolicited automated marketing calls made from telephone numbers used by Media Tactics. On further investigation, it was found that between 13 November 2014 and 9 June 2015 Media Tactics made 22,065,627 automated direct marketing calls.
On 24 August 2015 the ICO wrote to Media Tactics informing it that the ICO had evidence that it had made over 22 million automated direct marketing calls, that the ICO had received 182 complaints and asked Media Tactics to provide evidence that the recipients of the calls had consented to receiving automated marketing calls from Media Tactics.
Media Tactics informed the ICO that it purchased data from a number of different third party data providers, who had given warranties that the data was “opted-in”, and that the data had been screened against the Telephone Preference System. Most of the websites from which the telephone numbers of the complainants had originally been sourced belonged to payday loan and insurance brokers.
Many of the privacy notices on the identified websites were generic and unspecific and did not refer to the data being used for the purposes of making automated direct marketing calls. Only one of the privacy notices identified Media Tactics as a recipient of the data, but this was in a list of over 200 organisations.
ICO Finding
The ICO found that Media Tactics instigated over 22 million automated direct marketing calls without prior consent of the individuals called (Regulation 19 of PECR).
In particular, the ICO found that between 13 November 2014 and 9 June 2015 Media Tactics instigated the transmission of 22,065,627 automated marketing calls to subscribers without their prior consent. It also found that Media Tactics did not identify the person who was sending or instigating the automated marketing calls and provide the address of the person or a telephone number on which this person could be reached free of charge.
The ICO did not consider the contravention deliberate but Media Tactics should have known or ought reasonably to have known that there was a risk that this contravention would occur. Further, the ICO found that Media Tactics had failed to undertake adequate due diligence on its data providers.
Harm
The ICO was satisfied that the contravention was 'serious' because Media Tactics instigated the making of over 22 million automated marketing calls to subscribers without their prior consent, which resulted in 182 complaints being made to the Commissioner.
The Commissioner was also satisfied that contravention was of a kind likely to cause substantial distress and Media Tactics ought to have known that it was only a matter of time before substantial distress to the recipients of the calls was likely to be caused. The ICO indicated that the failure to identify Media Tactics as the caller or provide an address or telephone number on which it could be contacted free of charge was a factor likely to cause substantial damage or distress.
Aggravating Factors
  • The director of Media Tactics had been involved in the lead generation business for several years and had a history of contact with the ICO. Media Tactics should therefore have had a good level of awareness of PECR and its requirements.
Mitigating Factors
  • There is a potential for damage to Media Tactic’s reputation which may affect future business.
Royal & Sun Alliance Insurance plc (RSA)
5 January 2017
£150,000
DPA – 7th Principle
Factual background
Royal & Sun Alliance Insurance plc (‘RSA’) is a multinational general insurance company. It provides (among other things) personal insurance products and services to its customers.
At some point between 18 May 2015 and 30 July 2015, a portable ‘Network Attached Storage’ device (the ‘device’) was stolen by an unidentified member of staff or contractor from a server room in RSA’s premises.
Access to the server room at RSA’s premises requires use of an access card and key. 40 of RSA’s staff and contractors (some of whom were non-essential) were permitted to access the DSR unaccompanied.
The device held, among other things, personal datasets containing:
  • 59,592 customer names, addresses, bank account and sort code numbers; and
  • 20,000 customer names, addresses and credit card ‘Primary Account Numbers’.
The device did not contain expiry dates or CVV numbers. It was password protected but not encrypted. The device has not been discovered to date.
ICO finding
The ICO found that RSA did not have appropriate technical and organisational measures for ensuring so far as possible that such an incident would not occur (DPA – 7th Principle).
In particular:
  • RSA did not encrypted the dataset prior to loading them on the device;
  • RSA failed to physically secure the device in the server room;
  • RSA failed to routinely monitor whether the device was online and (if not) raise alarm;
  • RSA did not have CCTV installed inside the server room;
  • RSA failed to restrict access to the server room to essential staff and contractors;
  • RSA permitted staff and contractors to access the server room unaccompanied; and
  • RSA failed to monitor access to the server room.
The ICO did not consider the contravention deliberate but held that RSA should have known or ought reasonably to have known that there was a risk that this contravention would occur. The ICO found that RSA had failed to take reasonable steps to prevent the contravention.
Harm
The ICO was satisfied that the contravention identified was ‘serious’ due to the number of affected individuals, the nature of the personal data that was held on the device and the potential consequences of the contravention.
The ICO held that the contravention was likely to cause substantial damage or substantial distress, taking into account:
  • the nature of the personal data, in particular as it concerns financial information; and
  • that portable devices have a high risk of loss or theft and require adequate security.
The ICO recognised that distress could be caused to RSA’s customers if they knew their financial information might have been accessed by the individual who stole the device, further disseminated or misused. Financial damage could also arise from exposure to blagging and possible fraud.
Aggravating Factors
  • RSA was unable to pinpoint exactly when the device was stolen.
  • RSA received 195 complaints about this incident.
Mitigating Factors
  • The device was password protected.
  • The personal data held on the device was not easily accessible.
  • So far as the Commissioner is aware, the information has not been further disseminated or accessed by third parties, and has not been used for fraudulent purposes.
  • RSA notified its affected customers and offered free CIFAS protection for 2 years.
  • RSA has now taken substantial remedial action.
  • A monetary penalty may have a significant impact on the RSA’s reputation and, to an extent, its resources.
  • RSA has sought independent professional advice to assist with the remediation of this incident.
  • There is no indication that any RSA customer has suffered a financial loss.
TalkTalk Telecom Group Plc
7 August 2017
£100,000
DPA – 7th Principle
Factual Background
In 2002, TalkTalk’s portal was designed and implemented. Wipro, which was acting as processor to resolve high level complaints and monitor and address network connectivity problems on TalkTalk’s behalf, was given access to the portal. 40 individual users employed in Wipro’s High Repeat Team had access to the personal data of between 25,000 to 50,000 TalkTalk customers at any point in time.
In September 2014, TalkTalk began receiving complaints from customers regarding scam calls purportedly from TalkTalk. Typically, the callers purported to be providing support for technical problems which had been detected. They were able to quote customers' addresses and TalkTalk account numbers.
TalkTalk commenced an initial security investigation and reported the matter to the ICO on 11 September 2014. In October 2014, TalkTalk commissioned a specialist investigation which identified three Wipro user accounts that had been used to gain unauthorised and unlawful access to the relevant personal data of up to 21,000 customers.
In November 2014, and in February, October and November of 2015, TalkTalk wrote to all of its customers warning them of potential scam calls and how to deal with them.
ICO Finding
The ICO found that TalkTalk did not have the appropriate technical and organisational controls to prevent unauthorised or unlawful processing of personal data (DPA – 7th Principle). The ICO also found that TalkTalk did not have controls in place to limit access to the customers whose accounts were being worked on to resolve network problems, or to allow for the exporting of the fields that were actually needed for Ofcom reporting. Further, Wipro employees were able to access the portal from any internet-enabled device. No controls were put in place to restrict such access to devices linked to Wipro.
The Wipro employees were able to make "wildcard" searches, view large numbers of customer records at a time and to export data to separate applications and files (although there is no evidence of any bulk download of this data). Those capabilities gave opportunities for the misuse of the relevant personal data. There was no adequate justification for those capabilities.
The ICO considered that TalkTalk knew or ought reasonably to have known that there was a risk that the contravention would occur, and be of a kind likely to cause substantial damage or substantial distress. The ICO further found that TalkTalk failed to take reasonable steps to prevent such a contravention.
Harm
The ICO considered the contravention ‘serious’ because of the number of inadequacies in TalkTalk’s technical and organisational measures, the number of individuals affected, the nature of the personal data compromised, and the extent of the contravention.
In light of such inadequacies, some of the relevant personal data was likely to be misused in furtherance of fraud and/or other criminal activity. The relevant personal data was likely to help scammers (a) identify and contact target individuals and (b) pass themselves off as representatives of TalkTalk. Such communications were likely to result in at least some recipients providing their bank details to scammers and/or being defrauded and/or having their bank accounts used for money laundering. Those consequences would constitute substantial damage, and would be likely to cause substantial distress to at least some recipients, whether individually or cumulatively.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
  • TalkTalk was the victim of the malicious actions of a small number of individuals.
  • TalkTalk proactively reported this matter to the Commissioner.
  • TalkTalk took steps to minimise potentially harmful consequences, for example by immediately removing the offending Wipro employees' access to the portal and alerting all of its customers to the potential for scam calls.
  • There is no evidence that the affected customers (up to 21,000) suffered any damage or distress as a result of these incidents.
  • TalkTalk has implemented certain measures to prevent the recurrence of such incidents.
The Data Supply Company Limited
27 January 2017
£20,000
DPA – 1st Principle
Factual Background
The Data Supply Company is a list or data broker which obtains personal data from various sources and sells this information as marketing leads to organisations for the purpose of sending direct marketing to those individuals.
Between 19 June 2015 and 21 September 2015, 174 complaints were received by the GSMA's Spam Reporting Service or direct to the ICO, relating to the receipt of 21,045 unsolicited direct marketing text messages about pay day loans. The GSMA’s Spam Reporting Service allows mobile users to report the receipt of unsolicited marketing text messages to the GSMA, who makes such complaints data available to the ICO. The ICO established that the person responsible for sending those text messages had obtained the data from The Data Supply Company. The Data Supply Company had provided 580,302 records containing personal data.
ICO Finding
The ICO found that The Data Supply Company did not process the personal data it obtained from individuals fairly and lawfully (DPA – 1st Principle).
In particular:
  • The relevant individuals were not informed that their personal data would be disclosed to The Data Supply Company, or the organisations to which The Data Supply Company sold the data on to, for the purpose of sending direct marketing text messages.
  • The disclosures given would not be within those individuals’ reasonable expectations.
The ICO did not consider the contravention deliberate but The Data Supply Company should have known or ought reasonably to have known that there was a risk that this contravention would occur and that they would be of a kind likely to cause substantial damage or substantial distress.
The ICO found that The Data Supply Company had failed to take reasonable steps to prevent the contravention, stating that it had failed to undertake proper due diligence when both buying and selling personal data to ensure that the processing was fair.
Harm
The ICO was satisfied that the contravention was 'serious' due to the number of records containing personal data being disclosed without the data subjects' knowledge or consent.
The ICO found that the contravention was of a kind likely to cause substantial distress.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
  • The Data Supply Company has informed the ICO that it is no longer trading in personal data.
The Lead Experts Limited
10 October 2017
£70,000
PECR – Regulations 19 & 24
Factual Background
The Lead Experts Limited (‘TLEL’) is a marketing firm based in Liverpool.
On 31 October 2016 the Commissioner served a third party information notice on DXI Limited (‘DXI’) in relation to automated calls made via the DXI voice broadcasting platform from numbers prefixed with 08454290 and 0844337, those being the prefixes for the reported complaint numbers.
DXI responded providing a spreadsheet containing a list of automated calling campaigns instigated by their customers, using these numbers as presentation CLIs (‘Calling Line Identifications’). The spreadsheet included the company names, CLIs used, dates of the campaigns and volume of calls made. The information provided showed that, between 4 May 2016 and 5 May 2016, TLEL made a total of 115,341 automated calls.
TLEL denied ever using automatic dialling and stated that its “only experience with DXI was that of buying a small batch of test leads of which we [TLEL] only dialled a small amount due to the quality not being very good.” DXI, however, provided sufficient evidence to refute this claim including, a signed order form outlining charges for calls to landlines and mobiles, audio files containing voice recordings of the messages to be played when the calls connected, and copies of e-mails in which TLEL supplied DXI with numbers to be loaded onto a dialler as part of their marketing campaign.
TLEL was unable to provide evidence that it had the consent of the individuals to whom it had instigated the transmission of the automated direct marketing calls.ICO Finding
The ICO found that between 4 May 2016 and 5 May 2016 TLEL instigated the transmission of 115,341 automated marketing calls to subscribers (111,072 of which were successful) without their prior consent (Regulations 19 and 24 of PECR).
Furthermore, they failed to include the company name, address and telephone number in their automated messages pursuant to the requirements of Regulation 24.
The ICO was satisfied that TLEL deliberately contravened Regulation 19 of PECR in the sense that TLEL’s actions were deliberate.
Harm
The Commissioner was satisfied that the contravention identified above was ‘serious’ because TLEL instigated the making of 115,341 automated marketing calls to subscribers without their prior consent.
Aggravating Factors
  • TLEL had repeatedly denied all wrongdoing and pleaded ignorance as to the contravention, despite evidence to verify its instigation of the direct marketing. TLEL has also disengaged with the Commissioner during the latter part of the investigation.
  • While the CLIs used for the marketing calls were legitimate, they did not identify the company making the call. The CLIs were routed through Buenos Aires making it difficult to trace the company.
  • The CLIs were also 'added value' numbers which charged the individual when they would call to try to identify the company.
  • The Commissioner also took into account the fact that TLEL did not identify the person/organisation who was instigating the call, or provide details on which the person making the calls could be contacted free of charge.
  • When challenged regarding its practice TLEL sought to liquidate the company on 27 July 2017. This was placed on hold pending the Commissioner’s investigation.
Mitigating factors
There were no mitigating features
Remedial Action
No mention of remedial action
The Royal British Legion
3 April 2017
£12,000
DPA – 1st Principle, 2nd Principle
Factual Background
Wealth screening
The Royal British Legion (‘RBL’) used the services of a wealth screening company to analyse the financial status of its supporters in order to identify those that would have the capacity and propensity to make a larger donation to charity. The personal data which RBL provided to the wealth screening company included supporters' names and addresses and information relating to their donation history. 2,445,670 records were scanned in 2014.
Data-matching and tele-matching
RBL also used the services of external companies to undertake data-matching and tele-matching on its behalf since 2010. Data-matching is the use of personal data to obtain and use other items of personal data which data subjects may have chosen not to provide to the data controller, and tele-matching is data-matching with telephone numbers. RBL estimated that it is likely to have tele-matched approximately 900,000 records and data-matched 52,966 email addresses to the personal data of supporters since 2010.
ICO Finding
The ICO was satisfied that these contraventions were deliberate, in the sense that the actions of RBL were deliberate. While RBL may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so.
Alternatively, RBL ought reasonably to have known that there was a risk that the contraventions would occur, and that they would be of a kind likely to cause substantial damage or distress.
Wealth screening
The ICO found that the wording of RBL’s privacy notices in place at the relevant time did not indicate that personal data may be processed for the purpose of wealth analysis, nor had sufficient information been provided to supporters to enable them to understand what would be done with their personal data in terms of screening and object to such processing if they so wished (DPA – 1st Principle). In addition, the processing of personal data for the purposes of wealth analysis was incompatible with the purpose for which the data were obtained (DPA – 2nd Principle).
Data-matching and tele-matching
The ICO also found that RBL did not have the consent of the data subjects to use individuals’ personal data to undertake data-matching and/or tele-matching and that such activities were neither compatible with the purposes explained in RBL’s privacy notices nor in the reasonable expectation of the individuals affected (DPA – 1st and 2nd Principles).
Harm
The ICO considered that the contraventions were serious because of the length of time over which the contraventions took place, the number of data subjects whose rights were infringed and the data subjects were likely to have been affected by those contraventions in significant practical ways (where data-matching and wealth screening took place).
The ICO was satisfied that these contraventions were of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed as a result of the contravention;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional approaches from the RBL; and
  • given the scale and duration of the contraventions, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have beenlikely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • RBL has followed the unlawful practices described over a period of several years.
  • RBL's practices appear to have been driven by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • RBL has contravened the fundamental rights of very large numbers of individuals to have their personal data processed in accordance with the Data Protection Act 1998 and Directive 95/46/EC.
  • By failing to adequately explain to data subjects how their personal data would be used, RBL has deprived them of control and informed decision-making about their personal data to a significant extent.
  • RBL's activities as described have exposed the relevant data subjects to substantially distressing and/or damaging consequences, including intrusions into their privacy due to increased direct marketing communications from RBL. It is likely that many individuals will have been persuaded by RBL to increase their financial support. Those financial consequences will to a significant extent have flowed from RBL's unlawful data protection practices.
Mitigating Factors
  • RBL co-operated with the Commissioner's investigations.
  • RBL is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • RBL has taken remedial action.
  • RBL’s practices may to an extent have reflected commonplace – albeit mistaken and unlawful – approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
True Telecom Limited
6 September 2017
£85,000
PECR – Regulation 21, Regulation 24
Factual Background
True Telecom Limited (‘True Telecom’) provides telephone services to businesses and residential consumers. Services include broadband, line rental, calls, and mobile sim-only plans.
Between 6 April 2015 and 27 April 2017, the ICO received 201 complaints through the Telephone Preference Service (‘TPS’) about unsolicited direct marketing calls made by True Telecom. The TPS is a register of numbers allocated to subscribers who have notified them that they do not wish to receive unsolicited calls for direct marketing purposes on those lines. All of these complaints were made by individual subscribers who were registered with the TPS.
Some of the complainants reported that they received unsolicited calls from a withheld number and that the calls were misleading because the callers gave the impression that they were calling from BT Openreach.
On 18 May 2016, the ICO informed True Telecom of the complaints received. True Telecom's response stated that it was unable to provide any consent for the calls and that it had obtained the data used to make the calls through 'data scraping' – during which a software tool is used to pull or 'scrape' information from open source listings into a spreadsheet. Once data is scraped, the number is uploaded to True Telecom's TPS screening software before being allocated to their internal sales team.
Although the TPS screening software was used, True Telecom advised that a selection of data was made available to the outbound sales team. This data was not subject to TPS screening during a transitional period after the departure of the previous IT manager.
ICO Finding
The ICO held that True Telecom made unsolicited direct marketing calls to subscribers whose numbers were registered with the TPS without prior consent (Regulation 21 of PECR).
The ICO was also satisfied that, for the purposes of Regulation 21 of PECR, the 201 complaints were made by subscribers who had registered with the TPS at least 28 days prior to receiving the calls and had not given prior consent to True Telecom to receive calls.
True Telecom was unable to establish that subscribers had consented to be called due to the nature of the way it had obtained the data. ICO guidance on direct marketing explains that organisations must keep clear records of what an individual has consented to and when and how this consent was obtained.
In addition, the ICO held that True Telecom knew or ought reasonably to have known that there was a risk that these contraventions would occur given that True Telecom relied on direct marketing due to:
  • the nature of its business;
  • the way in which it sourced its data; and
  • the fact that the issue of unsolicited calls was widely publicised by the media as being a problem.
The ICO also held that True Telecom failed to take reasonable steps to prevent the contraventions, which could have included:
  • carrying out adequate screening of the data against the TPS register;
  • ensuring that the entire TPS file they received from their provider was uploaded on their system before making calls; and
  • providing telesales staff with written procedures and training regarding the requirements of PECR and how to comply with them.
Harm
The ICO was satisfied that the contravention was ‘serious’, owing to the number of individuals affected, and True Telecom’s grievous failure to screen the telephone numbers against the TPS. In addition, the contraventions took place over a period of approximately two years. The ICO also noted that it was reasonable to suppose that considerably more calls were made, and those affected had not complained.
Aggravating Factors
  • True Telecom had previously been contacted by the ICO regarding complaints and received guidance related to this.
  • Despite being advised by the ICO of the requirement to do so, True Telecom failed to register as a data controller under the Data Protection Act 1998 and was prosecuted for this offence in March 2017. The ICO considered this indicative of True Telecom's attitude towards compliance with regulatory requirements.
  • The ICO also took account of the fact that True Telecom had failed to identify the person who was making the calls, or provide contact details on which the person could be reached free of charge.
Mitigating Factors
  • There is potential for damage to True Telecom’s reputation which may affect future business.
Vanquis Bank Limited
4 October 2017
£75,000
PECR – Regulation 22
Factual Background
Between 9 April 2015 and 16 February 2016, Vanquis Bank Limited (‘VBL’) instigated a campaign to send 870,849 direct marketing text messages to subscribers. VBL obtained the personal data from third parties and relied on indirect consent for sending the direct marketing text messages sent to subscribers.
VBL came to the attention of the ICO in December 2015 on review of the ICO’s ‘monthly threat assessment’. This revealed that 15 complaints about VBL had been made to GSMA’s Spam Reporting Service, which allows mobile users to report the receipt of unsolicited marketing text messages to the GSMA (the GSMA makes such complaints data available to the ICO). The Commissioner subsequently launched an investigation to determine whether VBL’s text message marketing had been carried out in compliance with Regulation 22 of PECR.
Further, between 17 December 2015 and 3 August 2016 620,000 direct marketing e-mails were sent to subscribers by one of VBL’s sub-affiliates on behalf of VBL. The ICO received 9 complaints in respect of such e-mails. The indirect consent VBL had relied upon for 7 of the 9 complaints had been obtained through various affiliates and sub-affiliates.
ICO Finding
The ICO found that VBL it did not have the appropriate consent of the data subjects to direct marketing text messages or emails (Regulation 22 of PECR).
VBL was unable to evidence that individuals to whom direct marketing text messages and e-mails had been sent had consented to receipt of the messages.
The ICO considered that VBL did not deliberately contravene Regulation 22 of PECR, however, VBL knew or ought to reasonably have known that there was a risk that these contraventions would occur. The ICO also found that VBL failed to take reasonable steps to prevent the contraventions. Harm
The Commissioner was satisfied that the contravention was ‘serious’ because in a ten month period VBL sent a total of 870,849 direct marketing text messages to subscribers without their consent. This resulted in 131 complaints being made.
Further, in a five month period VBL instigated the sending of a total of 620,000 direct marketing emails to promote VBL services to subscribers without their consent. This resulted in 9 complaints being made. Aggravating factors
No mention of aggravating features
Mitigating factors
There were no mitigating features
Remedial Action
No mention of remedial action
Verso Group (UK) Limited
17 October 2017
£80,000D
PA – 1st Principle
Factual backgroundVerso Group (UK) Limited (‘Verso’) is a data broking company.
Whilst investigating two organisation for sending of direct marketing communications in contravention of PECR, it came to the Commissioner’s attention that Verso had supplied those companies with large volumes of personal data which was then used in contravention of PECR. Consequently, on 17 March 2016 the Commissioner commenced an investigation into whether or not Verso had obtained and/or supplied the personal data in compliance with Data Protection Principle 1. The Commissioner corresponded extensively with Verso between March and November 2016.
In that correspondence Verso explained how it obtained and supplied personal data, including information about specific transactions. It provided the Commissioner with information about the companies and websites from which it obtained personal data. Verso also provided the Commissioner with evidence of its due diligence measures in respect of companies that had supplied it with personal data. Verso also supplied information about telemarketing campaigns through which it obtained personal data and the scripts for those telephone calls.
The Commissioner considered the terms and conditions and privacy notices applicable to the personal data and found that the data subjects had not consented to their personal data being supplied to Verso and/or for onward sale to other companies for direct marketing purposes. The Commissioner also considered an adjudication of the Direct Marketing Commission (DMC) published in August 2016 concerning Verso’s supply of data of over 2 million customer records to be used for an SMS marketing company by a gambling company. In their adjudication the DMC found that Verso had contravened a number of provisions of the Direct Marketing Association’s Code. ICO FindingThe ICO found that across the various transactions it reviewed Verso:
  • failed to provide the data subjects with sufficiently clear information about the companies to whom their personal data would be disclosed to for direct marketing purposes; and
  • sold personal data which it had obtained unfairly, and so the onward sale was also unfair.
The ICO found that these transactions contravened Data Protection Principle 1.
The Commissioner considered that these contraventions were deliberate, in the sense that Verso's actions were deliberate and systemic. Alternatively, Verso knew or ought reasonably to have known that there was a risk that these contraventions would occur and be of a kind likely to cause damage or substantial distress.
The Commissioner further considers that Verso failed to take reasonable steps to prevent such a contravention, in that:
  • Verso failed to undertake adequate due diligence when selecting its data suppliers in order to ensure that it received and used personal data fairly;
  • Verso failed to incorporate adequate contractual terms requiring its data suppliers to ensure that personal data was obtained and provided to Verso fairly;
  • Verso failed to take practical steps to satisfy itself that data subjects were provided with sufficiently specific information to help them understand what would be done with their personal data; and
  • when obtaining personal data from data subjects, Verso should have provided sufficiently specific information about the companies to whom Verso would provide personal data.
Harm
The Commissioner considers that these contraventions were serious, in that:
  • they involved large volumes of personal data and large numbers of data subjects;
  • Verso's contraventions were systemic: they were not isolated, one-off or occasional errors; and
  • there were numerous contraventions extending over a period of years.
Aggravating factors
  • Verso's contraventions were numerous, systemic and serious. They took place over a number of years and affected many thousands of data subjects.
  • Verso was unhelpful and obstructive during the Commissioner's investigation. It failed to provide some requested information, obfuscated in many of its answers and declined to co-operate adequately on a number of occasions. The Commissioner had to threaten to issue formal information notices in order to obtain answers to some of her questions.
  • Verso was unable to demonstrate how it had taken steps to ensure compliance with the DPA.
  • In the circumstances, the Commissioner considers Verso to have acted in disregard of its legal obligations.
Mitigating factors
  • Verso provided the Commissioner with some relevant information about its practices during the course of her investigation.
  • The penalty could have a significant reputational impact on Verso.
WM Morrison Supermarkets Plc
12 June 2017
£10,500
PECR – Regulation 22
Factual Background
WM Morrison Supermarkets Plc (‘Morrisons’) is a national chain of supermarkets.
As a result of an update to its systems in early 2016, Morrisons received queries from customers stating that they were not receiving e-mails from Morrisons. It therefore made the decision to send “Your account details” e-mail to individuals who had previously opted out of marketing in relation to their Morrisons More card but had opted in to marketing for online groceries, advising them on how to update their marketing preferences.
Between 24 October 2016 and 25 November 2016, Morrisons instigated the transmission of 236,651 “Your account details” e-mails. Of those, 130,671 e-mails were successfully received.
ICO Finding
The ICO found that Morrisons had sent 130,671 unsolicited communications by means of e-mail to individuals subscribers for the purposes of direct marketing without the necessary consent (Regulation 22 of PECR).
As the instigator of the e-mails, it was the responsibility of Morrisons to ensure that sufficient consent had been acquired. Morrisons was unable to evidence that the individuals to whom e-mails had been sent had consented to receipt of the messages.
The Commissioner considered that Morrisons deliberately contravened Regulation 22 of PECR because Morrisons was aware that the e-mail was being sent to individuals who had previously indicated that they did not consent to receive direct marketing in relation to their Morrisons More card. However, Morrisons sent these individuals emails despite its knowledge of its obligations under the Data Protection Act 1998 to respect such opt-outs.
Harm
The Commissioner was satisfied that the contravention was ‘serious’ because between 24 October 2016 and 25 November 2016 Morrisons knowingly sent a total of 130,671 direct marketing emails to subscribers without their consent.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Remedial Action
No mention of remedial action
WWF-UK
3 April 2017
£9,000
DPA – 1st Principle, 2nd Principle
Factual Background
WWF-UK is an founded in 1961, working in the field of wilderness preservation, and the reduction of .
Sharing personal data with third parties
WWF-UK was a member of a Reciprocate Scheme, which was run by an external company and enabled participating charities to share or swap the personal data of donors or prospective donors. Between 2012 and 2015 WWF-UK provided quarterly updates to the Reciprocate Scheme and in total shared 174,512 donor records, including details such as the name and addresses of donors.
WWF-UK’s privacy notice stated that “from time to time we may agree with carefully selected organisations to swap data, so that we can write to each other’s supporters. If you do not wish us to share your data in this way, please tick this box…”
Wealth screening
WWF-UK used the services of a wealth screening company to analyse the financial status of its supporters in order to identify those that would have the capacity and propensity to make a larger donation to charity. The personal data which WWF-UK provided to the wealth screening company included supporters' names and addresses and information relating to their donation history.
WWF-UK confirmed that it had undertaken such activity on three occasions: in 2006, 2011, and 2016. It wealth-screened 211,352 records in 2011, and a further 580,098 records in 2016. These figures do not necessarily reflect the number of individuals whose data was screened, as some supporters’ data may have been screened more than once. The total number of individuals whose personal data was processed for the purposes of wealth analysis was 643,531.
Tele-matching
WWF-UK began tele-matching (using personal data to obtain and use telephone numbers which data subjects have chosen not to provide) in 2006 and stopped in March 2016. From 6 April 2010 until March 2016 it tele-matched a total of 83,475 records relating to 55,684 supporters.
ICO Finding
The Commissioner was satisfied that these contraventions were deliberate, in the sense that the actions of WWF-UK were deliberate. While WWF-UK may not have deliberately set out to contravene the DPA, it deliberately acted in such a way that it did so.
Alternatively, WWF-UK ought reasonably to have known that there was a risk that the contraventions would occur, and that they would be of a kind likely to cause substantial damage or distress.
Sharing personal data with third parties
The ICO found that WWF-UK unfairly processed individuals’ personal data because the terms of its privacy notice were unduly vague and/or ambiguous and did not provide data subjects with adequate information as to how their personal data would be shared via the schemes (DPA – 1st Principle). The ICO also found that the sharing of personal data via the schemes was incompatible with the purposes explained in WWF-UK’s privacy notices (DPA – 2nd Principle).
Wealth screening
The ICO found that the WWF-UK unfairly processed individuals’ personal data because using their data to perform wealth screening was not in the reasonable expectation of those individuals and they were not informed that WWF-UK would adopt these techniques (through the WWF-UK’s privacy policy or otherwise) (DPA – 1st Principle). The ICO also found that the purpose of wealth analysis was incompatible with the purposes for which the data were obtained (administrating the donation, and if the individual consented, for marketing purposes) (DPA – 2nd Principle).
Tele-matching
The ICO found that it was unfair for the WWF-UK to use the data for data-matching and/or tele-matching purposes without consent of the data subjects and that such activities were incompatible with the purposes explained in their privacy notices (DPA – 1st Principle, 2nd Principle).
Harm
The ICO considered that the contraventions were serious because of the length of time over which the contraventions took place, the number of data subjects whose rights were infringed and the data subjects were likely to have been affected by those contraventions in significant practical ways.
The ICO was satisfied that these contraventions were of a kind likely to cause substantial damage or substantial distress, taking into account that:
  • at least some proportion of data subjects are likely to be distressed as a result of the contravention;
  • at least some proportion of data subjects are likely to suffer a financial impact and a diversion of time and resources in dealing with additional approaches from the WWF-UK; and
  • given the scale and duration of the contraventions, it is likely that such distress and/or damage would be substantial. At least some of the affected data subjects would have beenlikely to suffer substantial distress and/or damage. Alternatively, the cumulative levels of damage and/or distress of this kind of contravention would have been likely to be substantial.
Aggravating Factors
  • WWF-UK had followed the unlawful practices described over a period of several years and on a continuing basis.
  • WWF-UK's practices appear to have been driven at least in part by financial gain. The fact that it is a charity is not an excuse in this respect. In fact, the public is arguably entitled to expect charities to be especially vigilant in complying with their legal obligations.
  • WWF-UK had contravened the fundamental rights of very large numbers of individuals to have their personal data processed in accordance with the DPA and Directive 95/46/EC.
  • By failing to adequately explain to data subjects how their personal data would be used, WWF-UK has deprived them of control and informed decision-making about their personal data to a significant extent.
  • WWF-UK's activities as described have exposed the relevant data subjects to substantially distressing and / or damaging consequences, including intrusions into their privacy due to unsolicited direct marketing communications. It is likely that many individuals will have been persuaded by WWF-UK to increase their financial support. Those financial consequences will to a significant extent have flowed from WWF-UK's unlawful data protection practices.
Mitigating Factors
  • WWF-UK co-operated with the Commissioner's investigations.
  • WWF-UK is a charity that seeks to further its objectives in the public interest, rather than for purely private interests or mere financial gain.
  • WWF-UK has taken remedial action.
  • WWF-UK's practices may to an extent have reflected commonplace - albeit mistaken and unlawful - approaches in the charitable sector.
  • The intended monetary penalty may have negative reputational consequences.
Xerpla Limited
4 October 2017
£50,000
PECR – Regulation 22
Factual Background
Xerpla Limited (‘Xerpla’) offers design, advertising and marketing services.
Between 6 April 2015 and 20 January 2017 Xerpla transmitted 1,257,580 unsolicited direct marketing emails. These emails promoted products and services of a wide range of third parties, including providers of pet products, wine, motoring services, financial services and boilers.
The emails were sent to individuals who had subscribed to two websites operated by Xerpla - YouSave.co.uk and HeadsYouWin.co.uk. When subscribing, individuals were informed that by submitting their details, they consented to receive newsletters and offers from and on behalf of offer partners and from other similar third party online discount and deal providers. By subscribing, individuals were also consenting to the processing of their information as outlined in a separate Privacy Policy.
In 2016, the ICO received 14 complaints about the receipt of unsolicited direct marketing emails from the two websites through Xerpla.
ICO Finding
The ICO held that the consent relied on by Xerpla was not sufficiently informed and therefore did not amount to valid consent (Regulation 22 of PECR).
The ICO held that Xerpla did not deliberately seek to contravene Regulation 22 of PECR but ought to have known that there was a risk that these contraventions would occur. This is particularly the case given that direct marketing of this nature is widely publicised by the media as being a problem and that the ICO has published detailed guidance for organisations explaining their legal obligations under PECR.
The ICO was also satisfied that Xerpla failed to take reasonable steps to prevent the contravention. Reasonable steps in these circumstances could have included seeking appropriate guidance on the rules in relation to electronic direct marketing and ensuring that the consent Xerpla sought to rely on was valid.
Harm
The ICO was satisfied that the contravention was ‘serious’ due to the large number of data subjects affected by the 1,257,580 emails sent by Xerpla. It is not clear that the contravention caused any financial loss to those affected, however due to the persistent nature of the emails, the contravention may have caused distress or diversion of time in reporting the contraventions.
Aggravating Factors
No mention of aggravating features
Mitigating Factors
There were no mitigating features
Remedial Action
No mention of remedial action
Xternal Property Renovations Ltd
28 March 2017
£80,000
PECR - Regulation 21
Factual Background
Xternal Property Renovations Ltd (the ‘Company’) provides property maintenance and repair services to members of the public. The Commissioner wrote to the Company on 10 December 2015 regarding its compliance with PECR following a number of complaints having been made by subscribers registered with the Telephone Preference Service (‘TPS’) about unsolicited direct marketing telephone calls.
In February 2016 the Company responded, explaining that it had endeavoured to acquire legitimate and authorised third party customer information. However, the Company did not provide the identity of the company or companies from whom the data had been acquired, nor any evidence of the due diligence performed on the list provider or the data itself. It also became apparent that the Company had not performed any TPS screening as it was still in the process of completing the application process for its licence.
Between 14 August 2015 and 11 April 2016, the ICO received 131 complaints about unsolicited direct marketing calls made by the Company. Of those complaints, 94 were made to the TPS, with a further 37 made direct to the ICO. All of these complaints were made by individual subscribers who were registered with the TPS.
ICO Finding
The ICO found that the Company made a number of unsolicited calls for direct marketing purposes without the appropriate consent (Regulation 21 of PECR).
Between 14 August 2015 and 11 April 2016, the Company used a public telecommunications service to make 131 unsolicited direct marketing calls. The called lines were numbers listed on the register of numbers kept by the Commissioner in accordance with Regulation 26, contrary to Regulation 21(1)(b) of PECR.
The Commissioner was also satisfied for the purposes of Regulation 21 that the 131 complaints were made by subscribers who had registered with the TPS at least 28 days prior to receiving the calls and they had not given their prior consent to the Company to receive calls.
The Commissioner considered that in this case the Company did not deliberately contravene Regulation 21 of PECR, however, the Company ought reasonably to have known the risk of contravening PECR because the Company knew people were complaining about calls received. The Commissioner also found that the Company failed to take reasonable steps to prevent the contraventions.
Harm
The Commissioner did not comment on the harm associated with the contravention in this case. However, the complaints received indicate that at least some of the affected individuals suffered some distress from receiving these calls.
In particular:
  • “I get these calls from early morning to late at night, I'm disabled and I worry about these calls.”
  • “I was concerned about how this company had obtained my details - particularly my name. My number is TPS-registered and has been ex-directory for more than 30 years.”
  • “I object to being called an idiot and told ‘it’ll serve you right when you can’t pay your bills’. Nasty and could really upset an older person.”
Aggravating factors
  • Between 7 September 2015 and 30 November 2015, 109,726 direct marketing calls were made by the Company to individual subscribers registered with the TPS. This represented 81% of the total calls made by the Company in the same period.
  • As late as February 2016 the Company had not performed any TPS screening as it had not yet completed its TPS annual licence application process.
  • The Company did not identify the person instigating the calls and deliberately misled subscribers by using generic company names which had no relation to the Company.
  • There was a failure to fully cooperate with the Commissioner.
  • The Company is a private organisation within a competitive direct marketing industry where continuous breaches of PECR could create an unfair advantage.
Mitigating factors
  • There is a potential for damage to the Company’s reputation which may affect future business.
Your Money Rights Ltd
11 September 2017
£350,000
PECR – Regulation 19
Factual Background
Your Money Rights Ltd (‘YMR’) is a payment protection insurance (‘PPI’) company.
Between 8 March 2016 and 27 July 2016, YMR made 146,020,773 unsolicited automated direct marketing calls concerning PPI claims. During the same period, the ICO received 255 complaints regarding the calls made by YMR.
Upon investigation, it was confirmed that:
  • YMR were not identified as the maker of the calls;
  • Data was licensed to YMR from third party providers; and
  • YMR contracted with a separate third party to make the calls on behalf of YMR.
YMR was unable to provide evidence that it had obtained the necessary consent of the individuals to whom it made the calls to.
ICO Findings
The ICO found that YMR made 146,020,773 automated direct marketing calls to individuals without their necessary prior consent (Regulation 19 of PECR).
The ICO stated that it had published detailed guidance for companies carrying out marketing activities explaining their legal obligations under PECR. In particular, it stated that marketing material can only be transmitted via an automated system with the prior consent of the individual.
The ICO held that whilst YMR may not have deliberately set out to contravene PECR, it did deliberately send automated marketing calls on a massive scale to individuals in contravention of Regulation 19 of PECR.
Harm
The ICO was satisfied that the contravention was 'serious' given that YMR instigated the making of over 146 million automated marketing calls to individuals without their prior consent, resulting in 255 complaints being made to the ICO.
While it does not appear that financial loss was suffered by the individuals affected, some may have suffered distress as a result of the provision of their personal data to a third party, or suffered a diversion of resources due to the need to make complaints and deal with the contravention.
Aggravating Factors
  • YMR may have obtained a commercial advantage over its competitors by generating leads from unlawful marketing practices.
  • YMR sent automated direct marketing calls on an enormous scale, with over 146 million calls being made.*
  • YMR were not identified as the body instigating the calls and there were no contact details provided by which YMR could be reached free of charge. This contravened regulation 24 of PECR.
  • The data was provided to a third party.*
Mitigating Factors
  • YMR suffered reputational damage as a result of the contravention and MPN.*
* Not explicitly identified by the ICO in the monetary penalty notice as a mitigating or aggravating factor. However, we have included these factors because such factors have had a significant influence on penalties handed down by the ICO.
Goody Market UK Ltd
8 January 2018
Breach of PECR – Regulation 22 (unsolicited email communication)
Enforcement Notice
Between 1 March 2017 and 5 May 2017, Goody Market UK Ltd (“Goody Market”) used a public electronic telecommunications service for the purposes of instigating the transmission of 111,367 unsolicited communications by means of electronic mail to individual subscribers for the purposes of direct marketing, contrary to regulation 22 of PECR.
As the instigator of the marketing messages, it was the responsibility of Goody Market to ensure that sufficient consent had been acquired. In this case the Commissioner was satisfied that Goody Market did not have the consent of the 111,367 individuals to whom it had sent unsolicited direct marketing text messages.
The Commissioner decided that it is unlikely that actual damage was caused in this instance.
Enforced remedial action required within 35 days:Except in the circumstances referred to in paragraph (3) of regulation 22 of PECR, Goody Market must neither transmit, nor instigate the transmission of, unsolicited communications, for the purposes of direct marketing, by means of electronic mail, unless the recipient of the electronic mail has previously notified Goody Market that they clearly and specially consent, for the time being, to such communications being sent by, or at the instigation of, Goody Market.
Ainsworth Lord Estates Limited
12 January 2018
DPA 1998 – 6th Data Principle (personal data shall be processed in accordance with the rights of data subjects) and Section 7 (Provides that an individual is entitled to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller and if so sets out what information should be provided).
Enforcement Notice
Ainsworth Lord Estates Limited (“Ainsworth Lord”) failed to respond to multiple invitations from the Commissioner to engage with subject access requests, save for on 16 October 2017, when Ainsworth Lord confirmed that it did not intend to comply. The Commissioner is of the view that the data controller contravened the Sixth Data Protection Principle in that, contrary to section 7, it failed to inform complainants, without undue delay, whether personal data of which these individuals were the data subjects, were being processed by, or on behalf of, the data controller and, where that was the case, failed, without undue delay, to have communicated to them, in an intelligible form, such information as may constitute personal data.
The Commissioner took the view that damage or distress to the complainants was likely, as a result of them being denied the opportunity of correcting inaccurate personal data about them, which may be processed by the data controller, because they were unable to establish what personal data are being processed within the statutory timescale.
Enforced remedial action required within 30 days:
Ainsworth Lord will inform the complainants whether the personal data, processed by the data controller, includes personal data of which the complainants are the data subjects, and shall supply them with copies of any such personal data so processed, in accordance with the requirements of section 7 of the DPA 1998 and the Sixth Data Protection Principle.
Magnacrest Ltd
30 January 2018
Breach of DPA 1998, 6th Principle (personal data must be processed in accordance with the rights of individuals) and Section 7 (Provides that an individual is entitled to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller and if so sets out what information should be provided).
Enforcement Notice
Magnacrest Ltd (“Magnacrest”) failed to supply personal data requested by way of a subject access request in compliance with the requirements of section 7 of the DPA 1998. The initial request was sent to Magnacrest with a cheque for £10 for the subject access request fee on 17 April 2017, with a further copy of the request being sent via electronic mail on 29 May 2017.
The Commissioner was notified of Magnacrest’s failure to respond to the subject access request on 18 June 2017. The Commissioner sent a number of letters to Magnacrest, requesting that it provides a response to the complainant, and highlighting its legal obligations in accordance with the rights of data subjects under section 7 of the DPA 1998. The Commissioner also engaged with Magnacrest via telephone, setting out their legal obligations. Despite this, Magnacrest failed to comply with the complainant’s subject access request.
The Commissioner found that Magnacrest contravened the Sixth Data Protection Principle in that, contrary to section 7 of the DPA 1998, it failed to inform the complainant, without undue delay, whether personal data, of which this individual was the subject, were being processed by or on behalf of Magnacrest and, where that was the case, failed, without undue delay, to have communicated to the subject in an intelligible form such information as may constitute such personal data.
Enforced remedial action, required within 30 days:
Magnacrest must inform the complainant whether the personal data processed by Magnacrest includes personal data of which the complainant is the data subject, and shall supply him with a copy of any such personal data so processed in accordance with the requirements of section 7 of the DPA 1998, and the Sixth Data Protection Principle.
Gain Credit LLC
9 February 2018
Breach of DPA 1998 – 6th Data Principle (personal data must be processed in accordance with the rights of individuals) and Section 7 (Provides that an individual is entitled to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller and if so sets out what information should be provided).
Enforcement Notice
Gain Credit LLC (“GC LLC”) is a “data controller” as defined in section 1(1) of the DPA 1998.
Section 4(4) of the DPA 1998 provides that, subject to section 27(1), it is the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.
The Commissioner’s view was that, in failing to respond to a subject access request in compliance with section 7 of the DPA 1998, GC LLC contravened the Sixth Data Protection Principle in that, contrary to section 7, it failed to inform the complainant, without undue delay, whether personal data, of which this individual was the data subject, were being processed by, or on behalf of, GC LLC and, where that was the case, failed, without undue delay, to have communicated to him, in an intelligible form, such information as may constitute such personal data.
Enforced remedial action required within 30 days:
GC LLC were required to inform the complainant whether the personal data processed by GC LLC included personal data of which the complainant is the data subject, and to supply him with a copy of any such personal data so processed in accordance with the requirements of section 7 of the DPA 1998 and the Sixth Data Protection Principle in that respect, subject only to the proper consideration and application of any exemption from, or modification to, section 7 of the DPA 1998 provided for, in, or by virtue of Part IV of the DPA 1998 which may apply.
Humberside Police
28 March 2018
Monetary Penalty Notice: £130,000
Breach of DPA 1998 – 7th Principle (data must be kept secure)
Factual background
On 13 June 2018, Humberside Police conducted an interview of an alleged rape victim on behalf of Cleveland Police. The interview was recorded at the Sexual Assault Referral Centre in Hull and was recorded on three unencrypted disks (with video footage), comprising the master copy and two further copies. The three disks, with accompanying written notes, were passed to the Protecting Vulnerable People (“PVP”) Unit with the intention of sending all three disks to Cleveland Police.
The disks themselves had the victim's name, date of birth and date of interview written on them. The disks comprised an interview with the alleged victim and contained information relating to the period prior to the alleged rape, how the alleged victim and alleged perpetrator met, travel arrangements, details relating to the scene of the alleged rape, the alleged rape itself, actions of both alleged victim and perpetrator, and the alleged victim's mental health status.
The unencrypted disks, along with the written notes, were placed in the same envelope on an officer's desk, however the envelope was determined to be lost by Humberside Police. Some 14 months later, on 11 August 2016, Cleveland Police notified Humberside Police of the potential loss of the disks, because there was no record of the disks having been received. In response, an internal search by Humberside Police failed to locate the disks. The lost disks were the only copies held by Humberside Police and the alleged victim was informed of the loss on 23 November 2016.
ICO finding
The Commissioner found that Humberside Police failed to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data in contravention of the Seventh Data Protection Principle at Part I of Schedule 1 to the DPA 1998. Humberside Police also failed to comply with the requirements set out in paragraph 9 at Part II of Schedule 1 to the DPA 1998.
In particular:
  • Humberside Police failed to encrypt the disks before sending (or intending to send) by unsecure mail;
  • Humberside Police failed to maintain a detailed audit trail of the package, either on the case or by way of other auditable record; and
  • The PVP Unit within Humberside Police failed to adhere to its 'Information Security policy' in relation to removable media.
The Commissioner did not consider the contravention deliberate but held that Humberside Police should have known, or ought reasonably to have known, that there was a risk that this contravention would occur. The Commissioner found that Humberside Police had failed to take reasonable steps to prevent the contravention.
Harm
The Commissioner was satisfied that the contravention identified was serious, because the disks and written notes contained confidential and highly sensitive personal data. The contravention would cause distress to the data subjects who may suspect that their confidential and highly sensitive personal data has been disclosed to a recipient who has no right to see that information.
Further, the data subjects would be distressed by concerns that their data has been further disseminated, even if those concerns do not actually materialise. Such concerns would be compounded by the fact that the disks and notes have still not been recovered by the data controller. In the circumstances, the distress suffered by the data subjects was considered to extend beyond mere irritation.
Aggravating factors
  • Loss of the master disk and two copies, along with written notes, heightens the impact of loss and potential for distress.
  • Loss of the master disk has implications for the effectiveness of the remedial measures taken in response as, unless the master or copy should be recovered, the evidence contained on the disks has been permanently lost.
  • Humberside Police is a public authority, so liability to pay a monetary penalty will not fall on any individual.
  • Humberside Police has access to sufficient financial resources to pay the proposed monetary penalty without causing undue financial hardship.
Mitigating factors
  • Humberside Police were not informed of the data loss by Cleveland Police until some 14 months after the event, which impaired Humberside Police's ability to make prompt and effective enquiries in order to adequately trace the missing disks and to identify the specific individual responsible for the loss.
  • Humberside Police voluntarily reported to the ICO.
  • The data had not been accessed by an unauthorised third party as far as the Commissioner was aware.
  • Humberside Police notified the alleged victim.
  • Humberside Police had been fully co-operative with the ICO.
  • Humberside Police had taken remedial action.
  • There will be a significant impact on Humberside Police's reputation as a result of this security breach.
Penalty
The Commissioner fined Humberside Police £130,000, reduced by 20% to £104,000 if Humberside Police paid by 1 May 2018.
The Energy Saving Centre Ltd
16 April 2018
Enforcement Notice
Breach of PECR – Regulation 21 (unsolicited telephone calls)
Between 21 June 2016 and 20 September 2017, Energy Saving Centre Ltd (“ESC”) used a public telecommunications service for the purpose of making 1,138 unsolicited calls for direct marketing purposes, and then on 5 December 2016 undertook the same in respect of 33,432 unsolicited calls, contrary to Regulation 21 of PECR.
Enforced remedial action required within 35 days:
Except in the circumstances referred to in paragraphs (3) & (4) of Regulation 21 of PECR, neither make, nor instigate unsolicited calls for direct marketing purposes to subscribers where the number allocated to the subscriber in respect of the called line was a number listed on the register of numbers kept by the Commissioner in accordance with Regulation 26, contrary to regulation 21(1)(b) of PECR.
IAG Nationwide Ltd
25 April 2018
Enforcement Notice
PECR – Regulations 21 and 24 (unsolicited telephone calls)
Between 3 May 2016 and 25 August 2017 IAG Nationwide Ltd (“IAG”) used a public telecommunications service for the purpose of making 69,317 unsolicited calls for direct marketing purposes to subscribers where the number allocated to the subscriber, in respect of the line called, was a number listed on the register of numbers kept by the Commissioner in accordance with regulation 25, contrary to regulation 21(1)(b) of PECR.
The Commissioner was satisfied that the company did not have consent, within the meaning of regulation 21 of PECR.  The Commissioner was also satisfied for the purposes of regulation 24 that, whilst a valid Calling Line Identification was presented, it did not allow subscribers to identify the caller, as the company name was withheld and a false email address was provided.
Enforced remedial action required within 35 days:
  • Neither make, nor instigate unsolicited calls for direct marketing purposes to subscribers where:
  • The called line is that of a subscriber who has previously notified the caller that such calls should not, for the time being, be made on that line, contrary to regulation 21(1)(a) of PECR; or
  • Where the number allocated to the subscriber, in respect of the called line, was a number listed on the register of numbers kept by the Commissioner in accordance with regulation 26, contrary to regulations 21(1)(b) of PECR;
  • Except:
  • Where the number allocated to the called line has been listed on the register for less than 28 days preceding that on which the call is made; or
  • Where a subscriber has notified a caller that he does not, for that time being, object to such calls being made on that line by that caller, notwithstanding that the number allocated to that line is listed in the said register; and
  • The communication includes the name of IAG and either the address of IAG of a telephone number on which IAG can be reached free of charge.
Our Vault Ltd
28 June 2018
PECR – Regulation 21 (unsolicited telephone calls)
Enforcement Notice
Between 1 March 2016 and 16 June 2016 Our Vault Limited (“OVL”) used a public telecommunications service for the purpose of making 55,534 unsolicited calls for direct marketing purposes to subscribers where the subscribers’ numbers were listed on the register of numbers kept by the Commissioner in accordance with regulation 25 of PECR, contrary to regulation 21(1)(b) of PECR. These calls were made to subscribers who had registered with the TPS at least 28 days prior to receiving the calls and had not given their prior consent to OVL to receive calls.
The Commissioner decided that it was unlikely that actual damage had been caused in this instance, but it was appropriate for her to exercise her discretion in favour of issuing an Enforcement Notice in this case, as it would act an encouragement to ensure that such PECR compliance issues are not repeated elsewhere.
Enforced remedial action required within 35 days:
Except in the circumstances referred to in paragraphs (3) and (4) of regulation 21 of PECR, neither make, nor instigate unsolicited calls for direct marketing purposes to subscribers where the number allocated to the subscriber was listed on the register of numbers kept by the Commissioner in accordance with regulation 26, contrary to regulation 21(1)(b) of PECR.
Horizon Windows
28 June 2018
PECR – Regulation 21 (unsolicited telephone calls)
Enforcement Notice
The Commissioner received numerous complaints through the TPS and from individuals directly, alleging that they had received unsolicited marketing calls from Horizon Windows Limited (“HWL”). Each individual stated that they had previously notified HWL that such calls should not be made and/or had registered their number with the TPS.
HWL used a public telecommunications service for the purposes of making 104 unsolicited calls for direct marketing purposes to subscribers where the subscriber’s number was listed on the register of numbers kept by the Commissioner in accordance with regulation 25, contrary to regulation 21(1)(b) of PECR. These calls were made to subscribers who had registered with the TPS at least 28 days prior to receiving the calls and had not given their prior consent to HWL to receive the calls.
The Commissioner concluded that HWL contravened regulation 21 of PECR in making such calls for direct marketing purposes to subscribers. Additional enquiries revealed that, since the period of the contravention, complaints continued to be received about calls by HWL, suggesting that HWL did not take seriously its responsibilities under PECR. The TPS confirmed to the Commissioner that HWL had not downloaded a copy of the TPS register of numbers since February 2017, which indicate that HWL was not effectively screening numbers against the most up to date lists.
The Commissioner considered the contravention serious in terms of the volume and continuing nature of complaints and the issuing of an Enforcement Notice would be fair and just in acting as an encouragement to ensure that such PECR compliance issues are not repeated elsewhere.
Enforced remedial action required in 35 days:
Except in circumstances referred to in paragraphs (3) and (4) of regulation 21 of PECR, neither make nor instigate unsolicited calls for direct marketing purposes to subscribers where the number allocated to the subscriber in respect of the called line was a number listed on the register of numbers kept by the Commissioner in accordance with regulation 26, contrary to regulation 21(1)(b) of PECR.
Ainsworth Lord Estates Limited
18 June 2018
Breach of DPA 1998 – 6th Principle (personal data shall be processed in accordance with the rights of the data subject) and Section 7 (Provides that an individual is entitled to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller and if so sets out what information should be provided).
Enforcement Notice
Ainsworth Lord Estates Limited (“Ainsworth”), a data controller, failed to supply personal data requested by way of a subject access request, in contravention of the requirements of section 7 of the DPA 1998. The complainant’s subject access request was first sent to Ainsworth on 4 September 2017. The complainant had attempted to engage Ainsworth several times and had heard nothing save for a single ‘out of office’ response form Ainsworth on 4 September 2017. Furthermore the cheques she had sent to the data controller to cover any nominal costs involved with the processing of her request had not be cashed. The complainant contracted the Commissioner on 23 January 2018 regarding Ainsworth’s failure to respond.
The Commissioner wrote to Ainsworth on 2 February 2018 to ask that they prioritise the complainant’s subject access request, however no response was forthcoming. The Commissioner’s view was that Ainsworth contravened the Sixth Data Protection Principle in that, contrary to section 7 of the DPA 1998, it failed to inform the complainant, without undue delay, whether personal data of which this individual was the data subject were being processed by or on behalf of Ainsworth and, where that was the case, failed, without undue delay, to have communicated to her in an intelligible form such information as may constitute such personal data. Damage or distress to the complainant was likely as a result of her being denied the opportunity of correcting inaccurate personal data about her, which may have been processed by the data controller, because she was unable to establish what personal data were being processed within the statutory timescale.
Enforced remedial action required within 30 days:
Inform the complainant whether the personal data processed by Ainsworth includes personal data of which the complainant is the data subject and to supply her with a copy of any such personal data so processed in accordance with the requirements of section 7 of the DPA 1998 and the Sixth Data Protection Principle in that respect, subject only to the proper consideration and application of any exemption from, or modification to, section 7 of the DPA 1998 provided for in, or by virtue of, Part IV of the DPA 1998, which may apply.
Everything DM Ltd
4 September 2018
PECR - Regulation 22 (unsolicited e-mail communication)
Enforcement NoticeBetween 31 May 2016 and 30 May 2017, Everything DM Ltd (“EDML”) used a public electronic telecommunications service for the purposes of instigating the transmission of 1,424,144 unsolicited communications by means of electronic mail to individual subscribers for the purposes of direct marketing, contrary to regulation 22 of PECR.
Enforced remedial action within 30 days:Neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail, unless the recipient of the electronic mail has previously notified EDML that he consents for the time being to such communications being sent by, or at the instigation of EDML.
London Borough of Lewisham
4 September 2018
Breach of DPA 1998 –6th Principle (Personal data must be processed in accordance with the rights of individuals) and Section 7 (Provides that an individual is entitled to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller and if so sets out what information should be provided).
Enforcement Notice
On 29 March 2018, the London Borough of Lewisham (“Lewisham”) confirmed a backlog of 113 subject access requests from individuals across four directorates, the oldest of which dated to 2013. Lewisham informed the ICO that the original deadline of 31 July 2018 for clearing the backlog would not be met. A further update was provided to the ICO, stating that a further 19 outstanding subject access requests were received before 25 May 2018.
The ICO was of the view that Lewisham’s systems, procedures and policies in place for dealing with subject access requests were generally inadequate, and Lewisham was unable to satisfy its obligations in respect of the outstanding subject access requests.
Enforced remedial action:
By Monday 15 October at the latest, inform the 19 individuals who submitted subject access requests before 25 May 2018, whether the personal data processed by it includes personal data of which those individuals are the data subjects. Lewisham shall also supply each of the individuals with a copy of any such personal data so processed, in accordance with the requirements of section 7 of the DPA 1998 and the 6th Principle in that respect, subject only to the proper consideration and application of any exemption from, or modification to, section 7 of the DPA 1998, provided for, in or by virtue of, part IV of the DPA 1998 which may apply.
Aggregate IQ Data Services Ltd (Enforcement Notice)
24 October 2018
Articles 5 (Principles relating to processing of personal data), 6 (Lawfulness of processing) and 14 (Information to be provided where personal data have not been obtained from the data subject) of the GDPR
AggregateIQ Data Services Ltd (“AIQ”) had contracts in place with various political organisations, in particular, Vote Leave, BeLeave Veterans for Britain and the DUP Vote to Leave. As part of AIQ’s contract with these political organisations, AIQ was provided with personal data including names and email addresses of UK individuals. This personal data was then used to target individuals with political advertising on social media.
The Commissioner was satisfied that AIQ failed to comply with Articles 5 and 6 of the GDPR, because AIQ processed personal data in a way that the data subjects were not aware of, for purposes they would not have expected, and without a lawful basis for that processing. In addition, the ICO found that the processing was incompatible with the purposes for which the data was originally collected.
Enforced remedial action required within 30 days:
Erase any personal data of individuals in the UK, determined by reference to the domain name and email addresses processed by AIQ, retained by AIQ on its servers as notified to the Commissioner.
Metropolitan Police Service
16 November 2018
Breach of DPA 1998 – 1st (personal data must be processed fairly and lawfully), 3rd (personal data must be adequate, relevant and not excessive), 4th (personal data must be accurate and up to date) and 5th (personal data must not be kept for any longer than necessary) Principles
Enforcement Notice
The Metropolitan Police Service (“MPS”) sets out their approach to tackling gang crime in the ‘Gangs Operating Model’ (the “Model”).  Under the Model, each London borough creates its own localised Gangs Matrix, through which an individual, who has been identified as being a member of a gang (the “gang nominal”), is assessed. According to the Model, individuals should only be included in the Gang Matrix if they meet the threshold definition as a gang nominal, if they have been assessed through centralised Matrix scoring criteria, and if they reach the set threshold scores.
The Commissioner’s investigation has concluded that the actual practice of the Matrix has not always accorded with the strategy outlined in the Model. One of the issues with the Matrix is the inclusion of victims of gang crime, and the Commissioner further found that the Matrix does not clearly distinguish between the approach to victims of gang-related crime and the perpetrators of gang-related crime.
Enforced remedial action required within 6 months:
  • Conduct a data protection impact assessment on the Gangs Matrix.
  • Ensure that data subjects retained on the Matrix are clearly identified and labelled, so as to distinguish between victims of crime and actual or suspected offenders.
  • Implement a retention schedule, which addresses how and when data subjects should be removed from the Matrix, and that the personal data of those data subjects is not otherwise to be retained.
  • Erase any informal lists, which process the personal data of data subjects who no longer meet the criteria for retention on the Matrix.
  • Conduct a full review of all data sharing relating to the Gangs Matrix across the MPS, in order to evaluate what sharing is occurring, the legal basis for that sharing, whether such sharing is necessary and justified, and whether any sharing is properly regulated by formal written agreements approved by the MPS Information Rights Unit.
  • Develop guidance on information sharing relating to the Gangs Matrix, including differentiating information sharing with third parties exercising statutory functions and third parties with no such functions, and addressing the matters in the previous point above.
  • Confirm that any and all information sharing of personal data on or derived from the Gangs Matrix will only occur under a formal written agreement approved by the MPS Information Rights Unit, with third parties similarly so approved consistent with the guidance to be issue.
  • Implement compulsory purpose-specific training for all officers and staff responsible for processing personal data on the Gangs Matrix.
  • Ensure that all officers and staff deployed within units dealing with gang crime have completed the MPS' mandatory data protection training.
  • Introduce data loss software and loss detection software on MPS systems to prevent against personal data on the Gangs Matrix and related documents being inappropriately disclosed.
  • Ensure that access restrictions are imposed on officers and staff who no longer need to access the Matrix.
  • Ensure that a comprehensive access log is maintained of all those with access to the Gangs Matrix.
  • Ensure that all personal data on the Gangs Matrix and any related documents is protected by encryption. This should apply to data held on MPS servers and to any such data being shared with third parties, including in transit.
  • Develop guidance in relation to the use of social media as a source of 'verifiable intelligence' in relation to personal data.
  • Develop guidance that assists boroughs and ensures consistent decision-making in relation to:
  • The composition of 'the gang(s)' the MPS is policing for the purpose of the 'gangs strategy';
  • How gang membership is evidenced;
  • How to distinguish between a serious youth violence offender and a gang member; and
  • The appropriate intelligence sources to be used to identify gang membership.
  • Conduct regular audits on all Borough Operational Command Units to assess compliance with guidance issued concerning the Gangs Matrix, and with the DPA 1998 more generally.
DM Design Bedrooms Ltd
23 November 2018
Breach of PECR, Regulation 21 (unsolicited telephone calls)
Enforcement Notice
Between 1 April 2017 and 30 November 2017, DM Design Bedrooms Ltd (“DM Design”) used a public telecommunications service for the purposes of making 1,661,607 unsolicited calls for direct marketing purposes where the subscriber was listed on the TPS. The Commissioner and the TPS received a total of 99 complaints as a result.
Enforced remedial action required within 35 days:
Neither use, nor instigate the use of, a public electronic communications service for the purposes of making unsolicited calls for direct marketing purposes, where the called line is that of:
  • A subscriber who has previously notified DM Design that such calls should not be made on that line; and/or
  • A subscriber who has registered their number with the TPS at least 28 days previously, and who has not notified DM Design that they do not object to such calls being made.
Solartech North East Ltd
23 November 2018
Breach of PECR – Regulation 21 (unsolicited telephone calls)
Enforcement Notice
Between 1 January 2017 and 30 June 2017 Solartech North East Ltd used a public telecommunications service for the purpose of making 74,902 unsolicited calls for direct marketing purposes to subscribers who were registered with the TPS, contrary to Regulation 21 of PECR.
Enforced remedial action required within 35 days:
Except in the circumstances referred to in paragraphs (3) and (4) of Regulation 21 of RECR, neither make, nor instigate unsolicited calls for direct marketing purposes to subscribers where the number allocated to the subscriber in respect of the called line was a number listed on the register of numbers kept by the Commissioner in accordance with Regulation 26, contrary to Regulation 21(1)(b) of PECR.
Tax Returned Limited
10 December 2018
PECR- Regulation 22 (unsolicited electronic mail)
Enforcement notice
Between 1 July 2016 and 20 October 2017, Tax Returned Limited (“TRL”) instigated the sending of 14,800,000 unsolicited communications by means of electronic mail contrary to regulation 22 of PECR. This led to 2,146 complaints being made by subscribers who had not previously consented to receiving such marketing.
Whilst TRL did not send the messages itself, it had an agreement with a third party service provider (“TPSP”) to send the messages on its behalf. The aim of the messages was to promote TRL’s services. The Commissioner was satisfied that TRL was the instigator of the messages and as TRL was the instigator,  it was TRL’s responsibility to ensure that valid, albeit indirect, consent to send those messages had been acquired.
In all but five of the 42 Privacy Policies or Fair Processing Notices relied upon for the purposes of consent, and disclosed to the Commissioner, TRL were not named. TRL, instead relied on reference to a wide range of marketing sectors and on a mention of data being passed to general ‘third parties’, which the Commissioner found not to be sufficient to enable informed consent. Of the policies that named TRL, TRL was not immediately visible to subscribers and there was no option for the subscriber to specifically select which third parties they would like to receive marketing about, nor specify the type and method of marketing they would like to receive, with acceptance of marketing also being a condition of subscription in some instances.
The Commissioner was therefore satisfied that TRL did not have the necessary valid consent for the messages that were sent and that TRL was responsible for this contravention.
Enforced remedial action required within 35 days:
Except in circumstances referred to in paragraph (3) of regulation 22 of PECR, neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail, unless the recipient has previously notified TRL that they clearly and specially consents for the time being to such communications being sent by, or at the instigation of, TRL.
Chief Constable Surrey Police
22 January 2018
Breach of DPA 1998 – 7th Principle (personal data shall be held securely)
Undertaking
In July 2016 the Commissioner was made aware that an unredacted Regulation 13 file, containing personal and sensitive data, and which originated from The Chief Constable Surrey Police (the “Police”), was in the possession of a member of the public, who subsequently published some of the data, contained in the file, on Twitter. The file had been compiled by a probationary police officer and contained documents created by that officer, evidencing how they had met performance requirements. The documents included information regarding third parties, which included details of crimes, and personal and sensitive data regarding crime victims that did not need to be included in the level of detail used. The file was initially disclosed to the probationary police officer in June 2014. However, prior to the disclosure of the data, the Police (who were the data controller) did not identify that the documents created by the officer contained the amount of personal and sensitive data relating to third parties. Following disclosure, the officer further disclosed the file to the member of public, who was acting as their representative in respect of disciplinary proceedings. This individual subsequently posted details taken from the file on Twitter in July 2016.
The Commissioner found that, while the Police had some measures in place, there were limited security procedures regarding making disclosures of Regulation 13 files. There were no checks regarding the content of the file, nor were checks required. The Commissioner also found that sufficient measures were not in place at the time of the disclosure to ensure that staff leaving the Police’s employ did not retain documents containing personal or sensitive data.
The Police shall ensure that personal data are processed in accordance with the Seventh Data Protection Principle in Part I of Schedule 1 to the DPA 1998, and in particular that:
  • Checks are undertaken on Regulation 13 data prior to disclosure to ensure that personal data is properly redacted or minimised to only that which is necessary, and completion of such checks is to be appropriately recorded;
  • Staff are made aware of the appropriate checking procedures to be conducted prior to making disclosures of Regulation 13 data;
  • Checks are implemented to ensure that staff leaving the data controller’s employ do not retain personal or sensitive personal data in their possession, which originates from the Police, and completion of such checks is to be appropriately recorded; and
  • The Police shall implement such other security measures as are appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or dam
West Midlands Police
12 January 2018
DPA 1998 - 7th Principle (personal data shall be held securely)
Undertaking
The Commissioner was informed by West Midlands Police (the “Police”) that a data breach had occurred in relation to the publicising of a Criminal Behaviour Order (“CBO”), which was imposed on two individuals in March 2015. The CBO concerned offences that involved damage to property and threats of violence; details of which were publicised, by the Police, in a leaflet. The leaflet was to be distributed in the area local to where the offences took place. The CBO prohibited the offenders from entering certain areas of Birmingham and from associating with one another in these areas. The CBO also prohibited the offenders from contacting the victims of and witnesses to the offences. A draft version of the leaflet included this information and effectively revealed the names of the victims and the witnesses to the offences and was distributed to approximately 30 homes without their consent and knowledge, leaving them at risk of intimidation and harm. Some of the data that was compromised related sensitive personal data as it related to proceedings for the committal of an offence.
Whilst a detailed risk assessment was conducted during the creation of the leaflet in relation to the use of photographs of offenders, no equivalent risk assessment existed for victims or witnesses to an offence. The Police explained to the Commissioner that the draft version of the leaflet was never intended for distribution, and that they intended to notify the victims and witnesses of the intention to distribute the leaflet.
The Police shall ensure that personal data are processed in accordance with the Seventh Data Protection Principle and, in particular, that:
  • Risk assessments are carried out in relation to victims of, or witnesses to, offences during the creation of publicity materials regarding CBSs;
  • Victims of, and witnesses to, an offence are informed before such publicity materials are published;
  • The procedure for the creation, approval and distribution of such publicity materials is to be documented;
  • Processes for the creation of other publicity materials are to be reviewed to ensure that these processes comply with the DPA 1998;
  • Mandatory data protection training is to be given to all new members of staff who have access to, or otherwise process, personal data, on induction;
  • Data protection training is to be refreshed for all members of staff who have access to, or otherwise process, personal data, on an annual basis; and
  • Systems are to be introduced to monitor the uptake of data protection training.
  • The above steps should be implemented within three months
Humberside Police
8 June 2018
Breach of DPA 1998 – 7th Principle (Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data)
Undertaking
Humberside Police informed the Commissioner on 5 October 2016 about the loss of ‘Achieving Best Evidence’ interview disks and written notes about an alleged rape. The disks were not encrypted nor password protected.
The Commissioner expects organisations to provide training to their staff so that they understand their responsibilities under the DPA 1998, and that the training is refreshed regularly. Such training reduces the likelihood of data breaches occurring. The Commissioner found there were information security modules included in the police training package, however completion of this training module was only made mandatory in 2017. The force’s compliance rate in relation to data protection training was only 16.8% on 14 September 2017. Humberside Police did not have a reliable method of monitoring the completion or refresher training.
In May 2013 the Commissioner audited Humberside Police. One of the identified areas for improvement was that the force should provide mandatory data protection and information security training with regular refresher training to maintain the current knowledge and to make staff aware of the risks relating to non-compliance with Principle 7 of the DPA 1998. Humberside Police provided an update at the audit follow-up, stating that training had been evaluated and would be given on a three yearly basis. A training package was introduced in 2015, but the Commissioner remained concerned about the force’s failure to implement training and refresher training and to implement an effective mechanism to monitor uptake of that training. The Commissioner also found awareness of DPA 1998 policies was lacking at the time of the incident.
Enforced remedial action required:
  • Humberside Police shall ensure all staff responsible for handling personal data receive specific data protection training, within six months.
  • Humberside Police shall ensure all staff who regularly handle removable media, such as CD ROMs, DVD ROMs and USB memory sticks, receive training about the use of encryption, including when it is appropriate to use encryption and how to encrypt.
  • Humberside Police should ensure that such training should be refreshed annually.
  • Humberside Police shall ensure that all new staff responsible for the handling of personal data are given specific training upon induction.
  • Humberside Police shall devise and implement a system to ensure completion of data protection training is monitored, and procedures are in place to ensure staff who have not completed training in the specified time do so promptly. This should be completed in three months.
  • Humberside Police should ensure DPA 1998 policies and procedures are prompted and made available to staff in all departments that handle personal data.
Direct Choice Home Improvements Limited
14 February 2018
DPA 1998, s.47 (failure to comply with notice) Prosecution
Direct Choice Home Improvements Limited (“Direct Choice”) was prosecuted at Swansea Magistrates’ Court for the offence of breaching the Enforcement Notice issued to it in March 2016, requiring Direct Choice to cease contacting people registered with the Telephone Preference Service.
Action:
Nobody from Direct Choice appeared when the case was heard at Swansea Magistrates’ Court and an offence under section 47 of the DPA 1998 was proved in absence. Direct Choice was fined £400 and was also ordered to pay £364.08 and a victim surcharge of £40.
 
Daniel Short
17 May 2018
Section 55, DPA 1998 (offence of illegally obtaining personal information)
Fine: £355 (plus £35 victim surcharge and £700 costs)
Daniel Short was prosecuted at Exeter Magistrates’ Court for the offence of illegally obtaining personal information, namely information relating to clients and service users.
Mr Short handed his notice to his former employer and intended to set up his own recruitment business. Mr Short took a total of 272 CVs from his former employer’s database.
Action:
Mr Short pleaded guilty to the offence under section 55 of the DPA 1998. He was fined £355, ordered to pay a £35 victim surcharge and was also ordered to pay £700 costs.
Noble Design and Build of Telford
2 July 2018
Prosecution: failure to comply with Information Notice
Fine: £4,500 (plus £364.08 costs and £170 victim surcharge)
Noble Design and Build of Telford (“Noble Design”) was prosecuted at Telford Magistrates’ Court for the offence of failing to comply with an Information Notice. The company also failed to register with the ICO, which is a criminal offence.
Action:
Noble Design was found guilty in their absence, and fined £2,000 for failing to comply with an Information Notice, under section 47 of the DPA 1998. Noble Design was also fined £2,500 for processing personal data electronically without having notified when required to do so, under Section 17 of the DPA 1998, and ordered to pay costs of £364.08 and a victim surcharge of £170.00.
Clare Lawson
24 September 2018
Prosecution (s.55 DPA 1998)
Fine: £400 (plus £364.08 costs and £40 victim surcharge)
Clare Lawson, a former nurse at Southport and Ormskirk Hospital NHS Trust, has been prosecuted at Bootle Magistrate’s Court for the offence of unlawfully obtaining personal data. Ms Lawson inappropriately accessed the records (including maternity and paediatric records) of five patients, 17 times. Ms Lawson also accessed the blood results of a friend 44 times after they had been discharged.
Action:
Ms Lawson pleaded guilty to the offence under section 55 of the Data Protection Act 1998 and was fined £400, ordered to pay costs of £364.08 and a £40 victim surcharge.
The Carphone Warehouse Limited
8 January 2018
Breach of DPA 1998 – 7th Principle (personal data shall be kept secure)
Monetary Penalty Notice: £400,000
Factual background
Carphone Warehouse is a telecommunications retailer and subsidiary of Dixons Carphone Plc (“Dixons”). Carphone Warehouse operated a computer system, which was overseen by Dixons and was separate from the systems for Carphone Warehouse’s retail outlets. The system contained:
  • Records for approximately 3,348,869 customers of mobile phone service providers, which comprised full names, dates of birth, marital statuses, addresses, time at addresses, phone numbers and email addresses;
  • Records for 389 customers across two other companies, comprising full names, dates of birth, email addresses, passwords, phone numbers and addresses;
  • Historic transaction details spanning 18,231 payment cards, comprising cardholders’ names and addresses, card expiry dates and card numbers (PAN, CID, CVC2 and CVV2); and
  • Records for approximately 1,000 employees, comprising of: names, postcodes, work email addresses, personal and work phone numbers, car registration numbers, department and line manager information.
s
This penalty concerns a specific Carphone Warehouse computer system ("the System"), which was overseen by a specific division of Dixons. The System consisted of a complex cluster of virtual servers hosting several internal and external websites, including e-commerce sites. The System was separate from the computer systems for Carphone Warehouse's retail outlets.
The system was subject to an external cyberattack, whereby the attacker made a scan of the system server. One of the vulnerable points was an installation of the content management system, WordPress, which allowed the attacker to enter the system and upload web shells, which provided the attacker with basic file management and database functionality over the contents of the System. The attacker accessed numerous databases, which included some or all of the personal data specified above. It cannot be ascertained whether any of the data were exported, but it is a very realistic possibility.
The attacker’s actions alerted Carphone Warehouse to the breach and they took steps to end the attack and undertook remedial measures.
ICO Finding
The ICO found that Carphone Warehouse breached the 7th Data Protection Principle in that:
  • Important elements of the software in use on the System were many years out of date: the version of WordPress used by Carphone Warehouse was six years old at the time of the attack;
  • Carphone Warehouse’s approach to software patching was seriously inadequate: they did not follow their ‘Patch Management Standard’ and no measures were in place to check whether software updates and patches were implemented regularly;
  • Carphone Warehouse needed more rigorous controls in place over who had WordPress credentials, and it needed measures in place for detecting any unauthorised use of those credentials;
  • Inadequate vulnerability scanning and penetration testing measures were in place at the time: there were no routine testing procedures, a scan failed to identify the vulnerabilities and no penetration testing had occurred in the 12 months leading up to the attack;
  • At the time of the attack, Carphone Warehouse had no Web Application Firewall, which may have  prevented the intrusion;
  • No antivirus technology was installed on the system’s servers, contrary to Carphone Warehouse’s policies, which were not being followed;
  • Technical measures for detecting attacks and unauthorised entries were inadequate: Carphone Warehouse’s internal monitoring measures only alerted staff to the attack 15 days after the system was first compromised;
  • The same root password was used on all of the system’s servers, which was known by 30-40 members of staff and carried administrative rights;
  • Measures to identify and purge historic data were inadequate: the system contained large amounts of historic transactions data;
  • Carphone Warehouse had an inadequate understanding of its IT systems architecture: it was not aware that data from historic transactions and credit card data were held on the system; and
  • The use of plaintext in which to store data encryption keys was inadequate.
Harm
The Commissioner considers that this contravention was serious, in that:
  • The number of inadequacies in the security arrangements for the System is striking: each of the inadequacies would have constituted a contravention of the 7th Data Protection Principle themselves;
  • The inadequacies related to basic, commonplace measures needed for any such a system;
  • The inadequacies persisted over a long period of time, given how easily and quickly the shortcomings could have been remedied;
  • The system contained a very large amount of personal data, affecting over 3 million individuals; and
  • The attack had been going for 15 days before it was detected.
The Commissioner considers that this contravention was of a kind likely to cause substantial damage or substantial distress, in that:
  • The personal data was put at risk and the data concerned was likely to be useful in terms of identity theft and fraud. Substantial damage was very likely and exposure to this damage would likely cause substantial distress;
  • The credit card data represented a particular risk in that terms of identity theft and fraud;
  • The data at risk had a significant bearing on individuals’ privacy, the loss of control of which was likely to cause distress to at least some of the affected data subjects. The ‘substantial distress’ threshold was clearly met in these circumstances;
  • The contravention was of a kind that exposed personal data to the risk of cyberattack, which would involve nefarious and criminal purposes and cause substantial damage and substantial distress; and
  • The data remains at large. This factor is likely to exacerbate the risk of substantial distress to affected data subjects.
Aggravating factors
  • The cumulative impact of the problems is striking, including by comparison with many other cases the Commissioner has investigated.
  • Carphone Warehouse’s culpability is striking. The Commissioner cannot see any justification or excuse for the extent of the systemic inadequacies on the part of such a large and well-established data controller.
Mitigating factors
  • Carphone Warehouse had a programme for improving its information security in this division of the company.
  • Carphone Warehouse quickly took remedial actions to fix some of the problems and assist affected data subjects in the wake of the attack.
  • There is no evidence that the compromised data was used for identity theft or fraud. The card data was relatively historic at the time of the attack.
  • It is still not certain how the attacker obtained credentials for the WordPress system.
  • It is still not certain how much data was extracted.
  • Carphone Warehouse proactively reported the attack to the Commissioner and co-operated with her investigation.
Penalty
The Commissioner fined the Carphone Warehouse £400,000, reduced by 20% to £320,000 if Carphone Warehouse paid by 7 February 2018.
Newday Limited
8 January 2017
Breach of PECR – Regulation 22 (unsolicited electronic mail)
Monetary Penalty Notice: £230,000
Factual background
Newday Limited (“Newday”) is a provider of financial products and services, and conducts its marketing through contractual arrangements with selected marketing affiliates.
Between 6 April 2015 and 23 January 2017 Newday, via its appointed affiliates, instigated the transmission of approximately 48,096,988 unsolicited marketing emails, promoting Newday's products, of which 93 per cent were received by individual subscribers. The emails were sent to individuals who had subscribed to 16 websites operated by Newday's affiliates. During the time in question, the Commissioner received 48 complaints from individuals who had received marketing emails from Newday.
The information provided to subscribers about marketing did not specifically name Newday or any of its trading styles, and only listed ‘third parties’, ‘sponsors’, ‘partners’, ‘affiliates’ or similar generic descriptions. Furthermore, the majority of the websites did not provide subscribers with the opportunity to opt out of third party marketing. The websites which provided a 'soft opt-in' did not provide information that was always readily available, and did not allow subscribers to specify means of receipt.
ICO finding
The ICO found that Newday, via its affiliates, instigated the transmission of approximately 48,096,988 unsolicited communications over a public electronic communications network, by means of electronic mail, to individual subscribers, for the purposes of direct marketing, contrary to regulation 22 of PECR.
Further, the Commissioner considers that Newday deliberately contravened regulation 22 of PECR, because it deliberately instigated the mass sending of the emails while relying upon invalid consent obtained by third party affiliates. It was Newday’s responsibility to ensure valid consent had been obtained prior to sending the emails.
It was found that Newday knew, or ought reasonably to have known, that there was a risk that these contraventions would occur.
Harm
The Commissioner is satisfied that the contravention was serious, because Newday, via its affiliate marketers, sent the direct marketing emails to subscribers without their consent. 44,730,198 emails were received, resulting in 48 complaints to the Commissioner. Newday has stated that the volume of emails sent could be higher but they were unable to verify the total number sent with all affiliates.
Aggravating factors
  • Evidence suggests a lack of due diligence by Newday, which could have identified inadequate privacy policies, thereby preventing the contraventions.
  • There is evidence of a loss of control of data, leaving individuals to be exposed to high volumes of unsolicited marketing emails.
Penalty
The Commissioner fined Newday £230,000, reduced by 20% to £184,000 if Newday paid by 8 February 2018.
TFLI Ltd
8 January 2018
Breach of PECR – Regulation 22 (unsolicited electronic mail)
Monetary Penalty Notice: £80,000
Factual background
TFLI Limited (“TFLI”) is a finance broker which markets financial products through the use of SMS text messages. TFLI base their marketing campaigns on personal data, provided by third party affiliate companies.
TFLI came to the attention of the Commissioner due to a significant number of complaints about the receipt of unsolicited SMS text messages. Between 24 November 2015 and 8 June 2016, TFLI instigated the transmission of approximately 1,218,436 unsolicited marketing texts, promoting a loan website, of which 1,190,534 were received.
ICO finding
Between 24 November 2015 and 8 June 2016 TFLI instigated the transmission of approximately 1,190,534 unsolicited communications over a public electronic communications network by means of electronic mail to individual subscribers for the purposes of direct marketing contrary to regulation 22 of PECR.
The Commissioner is satisfied that the consent relied on by TFLI was not sufficiently informed and therefore it did not amount to valid consent for the purposes of regulation 22 of PECR.
Harm
The ICO was satisfied that the contravention identified was serious, because TFLI sent 1,218,436 direct marketing texts to individuals without their consent, of which 1,190,534 were received, resulting in 793 complaints to the Commissioner.
Penalty
The Commissioner fined TFLI £80,000, reduced by 20% to £64,000 if TFLI paid by 7 February 2018.
Barrington Claims Ltd
8 January 2018
Breach of PECR – Regulations 19 and 24 (unsolicited telephone calls)
Monetary Penalty Notice: £250,000
Factual background
Barrington Claims Ltd (“BCL”) came to the attention of the Commissioner due to a significant number of complaints about automated marketing calls received from a number of companies.The messages were being transmitted using software owned by DXI Limited (“DXI”). DXI are a communication service provider and offer hosted dialler systems to companies. One of these services is an outbound dialling platform where companies can upload a message, which is then transmitted via automated calls to individuals. On 31 October 2016 the Commissioner served a third party information notice on DXI in relation to automated calls.
DXI responded to the notice on 5 December 2016 and provided a spreadsheet containing a list of automated calling campaigns, which showed that, between 22 February 2016 and 23 May 2016, BCL made a total of 15,288,474 calls.
ICO finding
The Commissioner found that BCL contravened regulations 19(1) and (2) of PECR, because, between 23 February 2016 and 20 May 2016, they instigated the transmission of 15,288,474 automated marketing calls to subscribers without their prior consent, resulting in 41 complaints.The Commissioner was satisfied that BCL did not have the consent of the individuals to whom it had instigated the transmission of the calls, and that BCL was responsible for this contravention and considered that, in this case, BCL did deliberately contravene regulation 19 of PECR in that sense, because it engaged with DXI with the explicit purpose of using their voice broadcasting platform to make automated calls.
Harm
The Commissioner was satisfied that the contravention was serious, because BCL instigated the making of over 15 million automated marketing calls to subscribers, without their prior consent, over a period of around three months. This resulted in 41 complaints being made to the Commissioner.
Aggravating factors
  • BCL had its claims management authorisation removed by the Ministry of Justice CMR in April 2017.
  • BCL failed to engage with the Commissioner in assisting with her investigations and failed to respond to enquiries.
Penalty
The Commissioner fined BCL £250,000, reduced by 20% to £200,000 if BCL paid by 7 February 2018.
Goody Market UK Ltd
8 January 2018
Breach of PECR – Regulation 22 (unsolicited electronic mail)
Monetary Penalty Notice: £40,000
Factual background
Goody Market UK Ltd (“Goody Market”) operates a comparison website designed to compare multiple insurance products.
The Commissioner commenced an investigation into the marketing practices of Goody Market, after receiving a significant number of complaints about the receipt of unsolicited marketing texts.
Between 1 March 2017 and 5 May 2017, Goody Market instigated the transmission of 170,000 unsolicited marketing text messages, of which 111,367 were received. The texts were sent on the basis of data sourced from a third party, and purchased on behalf of Goody Market by a data broker.
Goody Market was unable to provide the Commissioner with any evidence that the recipients consented to receiving marketing messages, having relied on verbal assurance from the data broker that the data had been used previously for these same purposes. There is no evidence of, or any review by Goody Market of, any written agreement between the data source and Goody Market, nor any agreement between the data broker and the data source, in relation to the purchasing of data and valid consent for the purchased data. Goody Market was, therefore, unable to specifically confirm that the recipients had consented to receipt of the text messages.
The Commissioner received a total of 93 complaints about the transmission of unsolicited marketing texts by Goody Market during the period of the contravention.
ICO finding
The Commissioner found that Goody Market contravened regulation 22 of PECR because, between 1 March 2017 and 5 May 2017, Goody Market instigated the transmission of 111,367 unsolicited communications over a public electronic communications network, to individual subscribers, for the purposes of direct marketing.
The consent relied upon by Goody Market was not sufficiently informed and therefore it did not amount to valid consent.
Harm
The Commissioner is satisfied that the contravention was serious because of the volume of text messages sent over a short period of time, and the number of complaints received. 170,000 text messages were sent in just over two months, of which 111,367 were received, resulting in 93 complaints.
Aggravating factors
  • Marketing was conducted by Goody Market on a significant scale where no valid consent was provided by the recipients.
  • Goody Market executed a large scale direct marketing campaign in circumstances where it professed to have a total lack of knowledge of the regulations.
Penalty
The Commissioner fined Goody Market £40,000, reduced by 20% to £32,000 if Goody Market paid by 7 February 2018.
Miss-sold Products UK Ltd
17 January 2018
Breach of PECR – Regulation 19 (automated calling system)
Monetary Penalty Notice: £350,000
Factual background
The Commissioner received a “significant number of complaints” relating to Miss-sold Products UK Ltd (“MSP”) and MSP’s use of automated marketing calls. The messages were being transmitted using software from DXI Limited (“DXI”). DXI are a communication service provider and offer hosted dialler systems to companies. One of the services provided by DXI is an outbound dialling platform where companies can upload a message, which transmits automated calls to individuals. On 30 March 2017 the Commissioner wrote to MSP to request specific information in relation to the calls that had been made. As no response was received, the Commissioner wrote again to MSP on 2 May 2017. A response, dated 21 May 2017, was received by the Commissioner on 21 June 2017. The response explained that MSP had ceased trading in March 2016 and that the author of the letter was involved only in the dissolution of the company. The letter did not address the Commissioner’s specific request for information regarding the calls.
Many of the complainants reported that they had received multiple calls containing recorded messaged about refunds concerning, primarily, PPI claims. The complainants reported that they were unable to opt-out of the calls. Other complainants expressed further distress as they were concerned that the calls may have been from family members or those to who the complainants provided care.
MSP was unable to provide evidence that it has the consent of the individuals to whom it had instigated the transmission of the automated direct marketing calls.
ICO finding
The Commissioner found that MSP contravened regulations 19(1) and (2) of PECR because, between 16 November 2015 and 7 March 2016, MSP instigated the transmission of 74,965,420 automated marketing calls to subscribers without their prior consent, resulting in 146 complaints.
MSP did not have the consent of the individuals to whom it had instigated the transmission of the calls.
Harm
The commissioner was satisfied that the contravention was serious because MSP instigated the making of over 74 million automated marketing calls to subscribers, without their prior consent, over a period of around four months. The calls resulted in 146 complaints being made to the Commissioner.
Aggravating factors
  • The volume of calls made was substantially high and instigated in a relatively short period of time. The calls were persistent and individuals stated they did not consent to receive automated calls.
  • MSP failed to engage with the Commissioner in assisting with her investigations and failed to respond to enquiries.
Penalty
The Commissioner fined MSP £350,000, reduced by 20% to £280,000 if MSP paid by 13 February 2018.
SSE Energy Supply Ltd
18 January 2018
Breach of PECR Regulation 5A (failure to notify)
Monetary Penalty Notice: £1,000
Factual background
On 12 June 2017 an email to a customer was sent in error by SSE Energy Supply Ltd (“SSE”) to an incorrect email address. The personal information of one customer was disclosed, comprising the customer’s surname and account number. SSE became aware of the breach on 12 June 2017 after the sender of the email noticed that he had used the wrong address when copying the notes onto the customer service system. SSE had policies and procedures in place for reporting personal data breaches to its data protection assurance team for subsequent notification by designated staff to the Commissioner within 24 hours. However, these policies and procedures were not followed in this case. SSE reported the breach internally on 12 June 2017, but did not notify the Commissioner of the breach until 14 June 2017.
SSE subsequently took remedial action to prevent a recurrence of the breach by providing feedback and training to those responsible for the breach reporting. It was also in the process of doubling its resources in breach reporting, as well as implementing an electronic case management system, which has the functionality for prompts to improve the efficiency of the reporting.
ICO finding
The Commissioner was satisfied that there had been a personal data breach within the meaning of regulation 2 of PECR. Further, the Commissioner was satisfied that SSE had contravened regulation 5A of PECR by failing to notify the Commissioner of that personal data breach in accordance with the Notification Regulations.
Holmes Financial Solutions Ltd
31 January 2018
Breach of PECR - Regulations 19 and 24 (automated calling system)
Monetary Penalty Notice: £300,000
Factual background
Holmes Financial Solutions Limited’s (“HFSL”) website indicated that the organisation offered financial services including debt management, individual voluntary agreements (“IVAs”) and trust deeds.
HFSL first came to the attention of the Commissioner following an investigation into complains of automated calls made between 22 October 2015 and 27 July 2016. On 31 October 2016 the Commissioner served a third party information notice on DXI Limited (“DXI”) in relation to automated calls made via the DXI voice broadcasting platform from numbers prefixed with the prefixes for the reported complaint numbers. DXI responded to the notice on 5 December 2016, providing a spreadsheet containing a list of automated calling campaigns carried out by their customers, using these numbers as presentation CLIs. The spreadsheet included the campaign name, CLI, date of first and last call, and the number of calls made. The spreadsheet showed that, between 22 October 2015 and 27 July 2016, HFSL made over 24 million automated direct marketing calls using the DXI voice broadcasting platform.
On 14 June 2017 the Commissioner wrote to HFSL to indicate concerns about HFSL’s compliance with PECR, and to request a copy of their contract with their data supplier; copies of any voice broadcasting messages; and evidence of consent for the complaints received, to assist with the Commissioner’s enquiries. On 15 June 2017 HFSL contacted the Commissioner to confirm that they would undertake the necessary investigations regarding the Commissioner's concerns. Subsequent correspondence was sent by HFSL on 3 July 2017 and 20 July 2017 to explain that approximately 10 million sets of data were bought from one company, as part of a number of deals which took place between the parties without a contractual agreement in place; with a further 500,000 data leads bought from another company. HFSL stated that they had been assured by the companies from whom they bought data that the individuals to whom the data related had consented to receive marketing calls, however HFSL failed to provide any evidence of reasonable due diligence checks being carried out to ensure the validity of these assurances.
HFSL provided evidence of consent for a single complainant whose details appear to have been obtained from www.prizereactor.co.uk. The personal data provided included the individual's name, home address, email address, gender, date of birth, mobile telephone number, and the time stamp for when the 'consent' was obtained. The website's privacy policy indicated that personal data will be shared with ‘selected third parties’ and sponsors; further that these third parties will contact the individual via a range of means, including mail, telephone, SMS or email; and then goes on to list a wide variety of marketing sectors including telecommunications, car finance, gambling, travel, financial products etc. The website did not specifically list HFSL as a third party or sponsor.
On 12 September 2017 DXI wrote to the Commissioner to confirm that a number of the calls instigated by HFSL between the dates of 22 October 2015 and 27 July 2016 was 2,034,173 higher than first alleged at the outset of the investigation, and therefore totalled 26,632,018 automated calls made by HFSL. DXI further confirmed that of the 26,632,018 automated calls made, 8,792,907 were answered by subscribers.
ICO finding
Between 22 October 2015 and 27 July 2016 HFSL instigated the transmission of 8,792,907 automated marketing calls to subscribers without their prior consent, resulting in 62 complaints. HFSL did not have the consent of the individuals to whom it had instigated the calls. The Commissioner considered whether HFSL knew or ought reasonably to have known that there was a risk that these contraventions would occur. She is satisfied that this condition is met, given that HFSL relied heavily on automated direct marketing, and the fact that the issue of unsolicited calls was widely publicised by the media as being a problem.
Harm
The Commissioner was satisfied that the contravention identified above was serious because HFSL instigated the making of over 8.7 million automated marketing calls to subscribers without their prior consent. This resulted in 62 complaints being made to the Commissioner. Furthermore, there is evidence to suggest that repeat calls were made to subscribers regardless their attempts to opt out. It is reasonable to suppose that the contravention could have been far higher since it is known that HFSL instigated over 26.6 million automated calls. The Commissioner went on to consider whether HFSL failed to take reasonable steps to prevent the contravention. Again, she was satisfied that this condition was met.
Aggravating factors
  • Although the contravention in this case is the making of 8, 792,907 automated calls for which the organisation have failed to demonstrate consent, there is evidence that over 26.6 million calls were in fact instigated by HFSL.
  • Whilst the CLIs used for the marketing calls were legitimate, they did not identify the company making the call. The CLIs were allocated overseas before being used through DXI's dialling platform making it difficult to trace the company.
  • The CLI's were also 'added value' numbers which charged the individual when they would call to try to identify the company.
Penalty
The Commissioner fined HFSL £300,000, reduced by 20% to £240,000 if HFSL paid by 27 February 2018
Royal Mail Group
3 April 2018
Breach of PECR – Regulation 22 (unsolicited email communications)
Monetary Penalty Notice: £12,000
Factual Background
Royal Mail Group (“RMG”) is the UK's Designated Universal Postal Service Provider.
On 10 July 2017, RMG instigated the transmission of 170,680 initial emails to opted out customers, of which 164,044 were received. On 17 July 2017, RMG instigated the transmission of 168,410 follow up emails to opted out customers, of which 162,970 were received. The combined totals for opted out customers for both dates are 339,090 emails sent, and 327,014 received.
RMG informed the ICO that two sets of emails were sent: two to customers who had opted in to receive marketing, and two to customers who had opted out, comprising an initial email and a follow up. It advised that the messages differentiated in style and content, depending on whether the customer was opted in or out.
The Commissioner considered that, whilst RMG distinguished between opted in and opted out customers in terms of which message was sent, the phrasing used, and style of the message sent, to opted out customers meant that it constituted marketing and not simply a service message.
ICO finding
The Commissioner found that on 10 July 2017 and 17 July 2017, RMG instigated the transmission of a combined total of 327,014 unsolicited communications over a public electronic communications network by means of electronic mail to individual subscribers for the purposes of direct marketing, contrary to Regulation 22 of PECR.
The Commissioner considered that, in this case, RMG did not deliberately contravene Regulation 22, but held that RMG should have known, or ought reasonably to have known, that there was a risk that this contravention would occur. The Commissioner also found that RMG had failed to take reasonable steps to prevent the contravention.
Harm
The Commissioner was satisfied that the contravention identified was serious, because RMG sent 339,090 direct marketing emails to customers without their consent, of which 327,014 were received, resulting in one complaint to the Commissioner. The emails were specifically written for customers who had not opted in to receive marketing communications, however it is clear that the messages were marketing, which compounds the serious nature of the breach, as RMG failed to distinguish between service messages and marketing communications.
Mitigating factors
  • This was an isolated incident with only one complaint received by the Commissioner.
  • RMG reviewed and improved its controls for messages of this type to ensure that only appropriate content is included in any future communications.
Penalty
The Commissioner fined RMG £12,000, reduced by 20% to £9,600 if Royal Mail Group paid by 3 May 2018.
The Royal Borough of Kensington and Chelsea
10 April 2018
Breach of DPA 1998 – 7th Principle (personal data must be kept secure)
Monetary Penalty Notice: £120,000
Factual background
On 14 June 2017, a fire broke out at the 24-storey Grenfell Tower block of public housing flats in North Kensington causing 71 deaths. People from surrounding buildings were also evacuated due to concerns that the building might collapse. In the circumstances, there were calls for empty private property in the borough to be requisitioned to provide homes for those displaced by the fire.
On 30 June 2017, the Council received three separate requests (one from a journalist) for the statistical information used in a report in 2015; specifically the addresses of empty properties in the borough. It later transpired that the applicants were all journalists with links to a national daily newspaper. The requests were made under the Freedom of Information Act 2000 ("FOI").
However, the Council no longer held the statistical information, so a member of the Revenue Systems Administration team produced a pivot table that included a list of named owners against the addresses of empty properties in the borough. The Council did not intend to disclose this information because of the risk of criminal activity.
The Council Tax Manager then compiled a list of the number of empty properties in the borough to be disclosed to the applicants, copied and pasted the information into a new Excel spreadsheet and sent it to the FOI team, but did not remove the underlying personal data contained in the pivot table.
On 21 July 2017, the spreadsheet was sent to the applicants by email with the underlying personal data still on the pivot table. On 1 August 2017, the number of empty properties in the borough was published on the newspaper’s website together with the names of three high profile owners.
ICO finding
The Council failed to take appropriate organisational measures against the unauthorised processing of personal data (DPA 1998 – 7th Principle). The Commissioner found that the contravention was as follows:
  • The Council did not provide the FOI team with any (or any adequate) training on the functionality of Excel spreadsheets or possible alternatives.
  • The Council had in place no guidance for the FOI team to check spreadsheets for data hidden in any pivot table before they are disclosed under FOI.
The ICO did not consider the contravention deliberate, but held that the council should have known, or ought reasonably to have known, that there was a risk that this contravention would occur. The ICO found that the council had failed to take reasonable steps to prevent the contravention.
Harm
The Commissioner was satisfied that the contravention identified was serious due to the number of affected data subjects, the sensitive nature of the personal data that was disclosed to the applicant's in the context of the Grenfell Tower tragedy, and the potential consequences. In those circumstances, the Council's failure to take adequate steps to safeguard against unauthorised disclosure was considered to be serious.
The Commissioner therefore considered that, by reference to the features of the contravention, it would cause distress to at least some of the affected data subjects, if they knew that their name and address has been disclosed to three journalists with links to the newspaper who would discover that they owned empty properties in the borough.
Aggravating factors
  • The Council received a complaint from an affected data subject.
Mitigating factors
  • The Council reported this incident to the Commissioner and was cooperative during her investigation.
  • The Council took prompt action to ensure that the journalists and the data analyst deleted the spreadsheet from their email accounts and the Google cache.
  • The high profile data subjects were notified about this security breach.
  • A full investigation was carried out by the Council.
  • The Council has now taken substantial remedial action.
  • There is no evidence of actual damage to property, as far as the Commissioner is aware.
  • A determined person could have obtained the information via the electoral register and the Land Registry.
  • This security breach was exacerbated by the actions of the newspaper and one of the journalists.
  • A monetary penalty may have a significant impact on the Council's reputation and, to an extent, its resources.
Penalty
The Commissioner fined the Council £120,000, reduced by 20% to £96,000 if the Council paid by 10 May 2018.
IAG Nationwide Limited
25 April 2018
Monetary Penalty Notice: £100,000
PECR – Regulations 21 and 24 (unsolicited telephone calls)
Factual background
IAG Nationwide Limited (“IAG”) is a marketing/advertising agency.
Between 3 May 2016 and 25 August 2017 IAG used a public telecommunications service for the purpose of making 69,317 unsolicited calls for direct marketing purposes to subscribers who were registered with the Telephone Preference Service Ltd (“TPS”).
The ICO received 41 complaints about IAG from individuals between 3 May 2016 and 16 November 2017. In addition, the TPS received a further 21 complaints about IAG.
IAG explained that some data had been purchased from a third party provider which was in liquidation, and IAG was therefore unable to obtain opt-in records.
ICO finding
The ICO found that IAG had made unsolicited phone calls for the purposes of direct marketing without the appropriate consent (regulation 21 of PECR). In respect of those calls, the ICO further found that, for the purposes of regulation 24, although a valid Calling Line Identification was presented, it did not allow subscribers to identify the caller as the company name was withheld, and a false email address provided.
The Commissioner did not consider the contravention deliberate but IAG should have known, or ought to have reasonably known, that there was a risk that this contravention would occur. The ICO found that IAG had failed to take reasonable steps to prevent the contravention.
Harm
The ICO was satisfied that the contravention identified was serious due to there being multiple breaches of regulation 21 by IAG over a 15 month period, which led to a significant number of complaints to the TPS and the ICO.
Aggravating factors
  • A general lack of engagement by IAG during the Commissioner’s investigation, and provision of a false email address and contradictory information in response to the Commissioner’s enquiries.
  • The repeated and harassing nature of the calls made to subscribers.
  • Despite putting in place a TPS screening system, the Commissioner had continued to receive complaints from subscribers whose numbers are not TPS registered but who have previously notified the company that they did not wish to receive further calls.
Costelloe and Kelly Limited
25 April 2018
Monetary Penalty Notice: £19,000
PECR – Regulation 22 (unsolicited electronic mail)
Factual background
Costelloe and Kelly Limited (“CKL”) was a marketing agency. Between 1 June 2017 and 31 July 2017 CKL undertook a text direct marketing campaign, via a third party marketing platform, promoting funeral plans. A third party provided the source data used to conduct the campaign.
Between 1 June 2017 and 31 July 2017 CKL instigated the transmission of approximately 283,533 unsolicited marketing texts promoting the products. Of these, 265,395 text messages were delivered, and 18,138 failed.
As at 23 October 2017, 60 complaints about the marketing messages had been received by the GSMA’s Spam Reporting System. The GSMA’s Spam Reporting System allows mobile users to report the receipt of unsolicited marketing text messages to the GSMA. While some of the messages named CKL, the majority used the name ‘Future Planning’.
ICO finding
The Commissioner found that CKL had instigated the transmission of unsolicited communications over a public electronic communications network by means of electronic mail to individuals for the purposes of direct marketing (regulation 22 of PECR).
The Commissioner did not consider the contravention deliberate, but CKL should have known, or ought to have reasonably known, that there was a risk that this contravention would occur. The ICO found that CKL had failed to take reasonable steps to prevent the contravention.
Harm
The Commissioner was satisfied that the contravention identified was serious due the number of individuals affected by the contravention, which led to a significant amount of complaints the GSMA’s Spam Reporting System. In addition, the majority of the text messages did not contain CKL’s name.
Aggravating factors
  • The text messages did not identify CKL as the sender.
  • There is evidence of a lack of due diligence on the part of CKL, which could have identified inadequate privacy policies, thereby preventing the contraventions.
Mitigating factors
  • CKL has fully co-operated with the Commissioner throughout her investigation.
  • There have been no further complaints relating to marketing communications sent by CKL since the Commissioner's investigation.
  • CKL does not routinely engage in marketing campaigns. This is the first occasion the company has been brought to the Commissioner's attention, and the directors and officers have not been linked to any other contraventions of the regulations previously.
  • CKL terminated the marketing campaign in August 2017.
Crown Prosecution Service
14 May 2018
Breach of DPA 1998 – 7th Principle (Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data)
Monetary Penalty Notice: £325,000
Factual background
The Crown Prosecution Service (“CPS”) is the principal public prosecuting agency for conducting criminal prosecutions in the UK.
On 18 November 2016, the CPS received a package of 15 unencrypted DVDs from Surrey Police. Those DVDs contained recordings of Achieving Best Evidence ("ABE") interviews with victims of child sexual abuse, to be used in evidence at the trial of the accused. Originals were retained by Surrey Police. All the DVDs contained intimate sensitive personal data of the victims, as well as the sensitive personal data of the perpetrator and some identifying information of accompanying persons and interviewing officers.
The package was delivered to the Brighton office of the CPS on 21 November 2016. The DVDs and the personal data contained on them have not been recovered. It is unknown what has happened to them and whether there has been unauthorised access of that personal data. The DVDs were not encrypted. The CPS has stated that it is not normal practice to encrypt ABE material. Encryption software is, however, available to all areas of the CPS. Nor were the DVDs transported in tamper-proof packaging, as indicated by Annex N of the Ministry of Justice's ABE Guidance.
ICO finding
The CPS failed to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data (DPA 1998 – 7th Principle).
The ICO did not consider the contravention deliberate, but stated that the CPS should have known, or ought reasonably to have known, that there was a risk that this contravention would occur. The ICO found that the CPS had failed to take reasonable steps to prevent the contravention.
Harm
The Commissioner was satisfied that the contravention identified above was serious, due to the fact that the videos contained confidential and highly sensitive personal data of a substantial number of data subjects and the nature of the personal data involved. The contravention would cause distress to the victims who may suspect that their confidential and highly sensitive personal data had been disclosed to a recipient who had no right to see that information. Further, the victims would be distressed by justifiable concerns (given the highly sensitive nature of some of the information) that their data has been further disseminated, even if those concerns do not actually materialise. Victims may also have been distressed at the possibility that the loss of the data could, if it were to appear in the public domain, adversely affect the prosecution or conviction of the perpetrator.
Aggravating factors
  • Only in 2015, was the CPS the subject of a monetary penalty notice of £200,000 resulting from a failure to encrypt and/or secure recordings of victim and witness interviews in the context of sexual abuse. Despite this, CPS employees have continued not to take basic encryption and security precautions in respect of such recordings, and there remain, on the CPS’ own conclusions, systemic procedural failings.
  • The ICO was not notified of the breach for more than four months after the CPS became aware of it.
  • Affected data subjects were not notified until some three months after the CPS became aware of it.
  • The CPS was slow internally in escalating the breach to the appropriate level of management.
  • The lost DVDs have never been recovered.
Mitigating factors
  • The breach was eventually voluntarily reported to the ICO.
  • The DVDs have been not accessed by an unauthorised third party as far as the Commissioner is aware.
  • The CPS eventually notified the affected individuals.
  • The CPS has been fully co-operative with the ICO.
  • The CPS has self-identified systemic failings and is taking action to remedy them.
  • There is likely to be a significant impact on the CPS' reputation as a result of this security breach.
Yahoo! UK Services Ltd
21 May 2018
Breach of DPA 1998 – 7th Principle (Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data)
Monetary Penalty Notice: £250,000
Factual background
Yahoo! UK Services Ltd’s (“Yahoo UK”) offers digital media services over the internet, providing search and navigation tools to consumers and businesses.
British Sky Broadcasting Limited (“BSB”) and Yahoo UK entered into a co-branded mail services agreement (the “CMS Agreement”), dated 13 August 2012, under which Yahoo UK was stated to be the controller of the personal data of the users to which the agreement relates.
On 26 September 2014, the obligations of Yahoo UK, under the CMS Agreement, were transferred to a company that was then called Yahoo! Europe Limited (“Yahoo Europe”), who then became the data controller. Although Yahoo Europe changed its name to Yahoo! UK Services Limited on 1 October 2014, the ICO was informed that the Sky/Yahoo privacy policy was updated to reflect the September 2014 transfer. The ICO further relied on this updated policy as an indication that Yahoo! Services Limited was the data controller for the relevant customers at the time of a2014 incident involving the potential compromise of Yahoo! user accounts (“the 2014 Security Incident”).
During the 2014 incident, attackers gained access to Yahoo! Inc.’s account management tool (“AMT”), which is the corporate user interface to certain Yahoo systems that host user account data. The attackers gained access to the AMT by exploiting compromised credentials of Yahoo employees who were authorised to use it (“the 2014 AMT Incident”).
Yahoo UK explained that it did not believe that the 2014 AMT Incident caused the 2014 Security Incident. Yahoo explained that the same attackers who were responsible for the 2014 AMT Incident were able to gain access to Yahoo systems by exploiting compromised credentials of Yahoo employees who were authorised to access those systems. The attackers were able to transfer multiple copies of backup files from the main servers that hosted user data to other servers in the Yahoo network.
In total, approximately 191 backup files were exfiltrated, containing the data of approximately 500 million Yahoo user accounts worldwide.
ICO finding
The ICO found that Yahoo UK failed to take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data of the relevant data subjects. Specifically, Yahoo UK failed to ensure that appropriate monitoring systems were in place to:
  • Protect the credentials of Yahoo employees with access to the personal data of Yahoo Customers from being compromised; and
  • Ensure that an instruction to transfer very large quantities of personal data of users from the servers on which it was held to the control of unauthorised individuals was flagged for investigation prior to being implemented.
The ICO noted that the fact that Yahoo! Inc. was acting as data processor for Yahoo UK at the time of the 2014 Security Incident does not alter the fact that Yahoo UK was itself in breach of 7th Principle of the DPA 1998.
The Commissioner did not consider the contravention deliberate, but stated that Yahoo! Inc. should have known, or ought reasonably to have known, that there was a risk that this contravention would occur. The Commissioner found that Yahoo! Inc. had failed to take reasonable steps to prevent the contravention.
Harm
The Commissioner was satisfied that the contravention was serious due to the following:
  • The contravention comprised a number of material inadequacies in Yahoo UK’s technical and organisational measures for the safeguarding of the relevant personal data.
  • The Commissioner had seen no satisfactory explanation for those inadequacies.
  • Those inadequacies were systemic, rather than arising from any specific incident or incidents.
  • Those systemic inadequacies appeared to have been in place for a long period of time without being discovered or addressed.
  • Those inadequacies put the personal data of up to 515,121 data subjects at risk. For the purposes of section 55A of the DPA 1998, the Commissioner considered that the contravention was of a kind likely to cause substantial distress.
  • In relation to substantial distress, at least some data subjects would realise that their personal data had been stolen or misused. They would be uncertain about how that had occurred and how it might adversely affect them. Given the large number of affected users, substantial distress was likely in these circumstances.
Mitigating factors
  • This was a sophisticated and persistent criminal attack, supported by the Russian Federal Security Service.
  • Yahoo! Inc.'s network was already protected by extensive internal security measures prior to the 2014 Security Incident. Following that incident, further steps were taken to strengthen those security measures.
  • Yahoo UK, Yahoo! Inc. and their associated companies have co-operated with the Commissioner, and with data protection regulators and law enforcement authorities in other jurisdictions, in relation to the matters set out in the Notice.
  • Extensive steps were taken to notify affected users and to inform them how they could protect their accounts.
  • The exfiltrated data did not include payment card data or bank account information.
 
The University of Greenwich
16 May 2018
Breach of DPA 1998 – 7th Principle (Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data)
Monetary Penalty Notice: £120,000
Factual background
In 2012, the University of Greenwich (“the University”) reorganised its structure into four faculties. The Computer and Mathematics School (“CMS”) became part of the Architecture, Computing and Humanities Faculty. In 2004 a student, on behalf of an academic within the CMS, developed a microsite on the CMS’s web server and, in 2013, there was evidence that this microsite was compromised.
Between 11 and 16 January, multiple attackers exploited the compromised microsite by using SQL injection to gain access to an account with sufficient permission to upload known ‘PHP exploits’ to the microsite, which allowed the attackers to extract personal data relating to approximately 19,500 data subjects.
Sensitive information was also compromised, relating to approximately 3,500 of the data subjects, such as extenuating circumstances, assessment offences and learning difficulties.
On 16 January 2016, an attacker posted the personal data online via Pastebin.com, a website used by hackers to publicise their attacks. There is evidence that the University’s microsite was further compromised in April and May 2016.
ICO finding
The Commissioner found that the University did not have appropriate technical and organisational measures for ensuring, so far as possible, that such an incident would not occur (DPA 1998 – 7th Principle).
In particular:
  • The University was not aware that its infrastructure included a microsite that was vulnerable to an SQL injection attack, with access to underlying databases.
  • The University did not identify the possible risks to its wider network and underlying systems.
  • The University did not ensure that the microsite was decommissioned when it was no longer necessary, or that the microsite was otherwise made secure.
  • The University did not undertake appropriate proactive monitoring activities to discover vulnerabilities.
The Commissioner considered that in this case the University did not deliberately contravene the DPA 1998. The Commissioner’s view was that the inadequacies were matters of serious oversight rather than deliberate intent to ignore or bypass the provisions of the DPA 1998.
Harm
The Commissioner is satisfied that the contravention identified was serious due to the number of data subjects, the nature of the personal data that was held and the potential consequences. In those circumstances, the University's failure to take adequate steps to safeguard against unauthorised or unlawful access was serious.
The Commissioner therefore considered that, by reference to the features of the contravention, it was of a kind likely to cause substantial distress. If this information had been misused by the persons who had access to it, or if it was, in fact, disclosed to hostile third parties, then the contravention would cause further distress to the data subjects and damage, such as exposing them to spamming or blagging and possible fraud.
Aggravating factors
  • The University received approximately 200 enquiries from the data subjects, including concerns about the possibility of being spammed.
Mitigating factors
  • The microsite was subjected to multiple criminal attacks.
  • The computing department’s academics were experts in software engineering, including how to secure information systems.
  • The University notified the ICO and the data subjects.
  • A significant amount of the compromised (sensitive) personal data was historic.
  • There was no evidence that the compromised (sensitive) personal data was, in fact, used for successful fraud activities.
  • The University was co-operative during the Commissioner's investigation.
  • The University has now taken substantial remedial action.
  • A monetary penalty may have a significant impact on the University's reputation and, to an extent, its resources.
  • The security breach was widely publicised in the media.
Bayswater Medical Centre
23 May 2018
Monetary Penalty Notice: £35,000
Breach of DPA 1998 – 7th Principle (Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data)
Factual background
On 2 February 2017 NHS West London CCG contacted the Bayswater Medical Centre (“BMC”) raising concerns about the security of patient information at the premises, and also referred these concerns to NHS England. In response, NHS England sought permission from the landlord of BMC’s branch site to enter the premises.
On 3 February 2017, NHS England entered BMC’s premises and discovered that a large number of patient records and files were stored insecurely. There were no specialised locks on the windows and the premises itself was secured by a single lock, with no other physical security measures such as an alarm.
BMC indicated to the Commissioner that the Care Quality Commission made a finding that the premises were not fit for purpose. BMC further explained that the data at the premises tended to be old hard copy data, and was a mixture of registered and removed patients who resided in the locality.
ICO finding
BMC failed to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data (DPA 1998 – 7th Principle).
The Commissioner did not consider the contravention deliberate but held that BMC should have known, or ought reasonably to have known, that there was a risk that this contravention would occur, and that BMC had failed to take reasonable steps to prevent the contravention.
Harm
The Commissioner is satisfied that the contravention was serious. This is because the information consisted of medical records, registration forms, repeat prescriptions and stickers on prescribed medication containing confidential and highly sensitive personal data.
The Commissioner also considered the contravention to be serious as a result of the length of time the personal data was left unsecured (between July 2015 and February 2017). This is despite a representative of the practice visiting the premises on a weekly basis, and having been placed on notice as early as 8 June 2016 by another practice that this was the case. BMC acknowledged that unsecured records remained on the premises in July 2016, yet took no steps to secure the data.
The contravention would cause distress to the data subjects who may suspect that their confidential and highly sensitive personal data has been disclosed to others who have no right to see that information.
Aggravating factors
  • The number of affected data subjects, highlighted by the period of the contravention
  • Failure to take swift remedial action even when BMC were aware of the contravention
  • At the time of the contravention BMC was not notified as a data controller with the ICO
  • Regulatory action has been taken against BMC by NHSE in respect of contractual breaches including data security
Mitigating factors
  • BMC had taken some remedial action confirming that "this has been a very disturbing, yet valuable lesson in which we have reviewed all the relevant policies and discussed such matters with all staff. We have ensured that they are all aware that at all times records should be secured" and "we have reviewed all our policies and staff have received additional training regarding patient confidentiality and the importance of record keeping."
  • BMC has advised that a member of staff visited the premises once a week after the premises were vacated.
  • Whilst the window and door locks at the premises were of original design, being a Grade IIa listed building, a locksmith advised BMC that the lock and front door were secure.
Our Vault Limited
18 June 2018
Monetary Penalty Notice: £70,000
PECR – Regulation 21 (unsolicited telephone calls)
Factual background
One Vault Limited (“OVL”), an insurance agent, broker and lead generator also operated under the trading style Our Insurance Vault. STR is registered with the Financial Conduct Authority (“FCA”).
The Commissioner received 42 complaints about unsolicited calls from OVL in November 2015. A further 137 complaints had been received by the TPS from individuals who had received unsolicited direct marketing calls from OVL, despite being registered with the TPS.
The Commissioner wrote to OVL on 1 February 2016 regarding OVL’s compliance with PECR and seeking an explanation for the complaints. OVL responded by stating they could provide evidence of consent for the calls that had been made. They also confirmed that they held a database of approximately 3.5 million unique records and that they contact each client three to four times a year. In April 2015 OVL purchased a further one million records from a third party.
OVL explained that it conducted lifestyle survey calls and that individuals who consent are transferred to ST&R Limited (“STR”), a sister company of OVL that is authorised by the FCA to sell financial products. The Commissioner reviewed call recordings and scripts and found that OVL’s calls were aimed at promoting STR’s products under the guise of research.
OVL advised that all data is checked with the TPS prior to being uploaded onto a dialler but, once uploaded, no further TPS screening is carried out. If an individual made a request for their data to be suppressed they would be placed on a Do Not Call (“DNC”) list.
The Commissioner requested further evidence of consent from OVL on 9 March 2016, together with an explanation for the number of repeat calls made to an individual on the DNC list. OVL confirmed that “over four years the dialler had done over 30 million dials,” but it was unable to provide evidence of consent for 104 of 109 of the calls complained about. Five of the complainants had not been TPS registered at the time of the first call but registered at a later date.
Over the subsequent 12 months, the Commissioner continued to receive complaints about OVL. Further enquiries of the TPS revealed that during the period of 1 April 2016 to 26 April 2017 a further 68 complaints had been made by subscribers who were TPS registered, and a further nine complaints were made directly to the Commissioner.
On 22 May 2017 the Commissioner sent another letter to OVL setting out the ICO’s concerns about OVL’s compliance with PECR, and requesting an explanation for the complaints received by the TPS and the Commissioner. OVL provided a spreadsheet of call data which revealed that, over a 12 month period, one individual had been called 19 times in total, and three times after advising they were “not interested”, before being added to the DNC list and continuing to be called. Other individuals continued to receive calls despite suppression requests. OVL failed to provide evidence of consent in relation to any of the calls complained about.
On 15 September 2017 the TPS confirmed that OVL has never held or requested a TPS licence.
ICO finding
The Commissioner found that OVL contravened regulation 21 of PECR because, between 1 March 2016 and 16 June 2016, OVL used a public telecommunications service for the purpose of making 55,534 unsolicited calls for direct marketing purposes to subscribers where their number was listed on the register kept by the Commissioner in accordance with regulation 25 of PECR, contrary to regulation 21(1)(b) of PECR. These calls were made to subscribers who had registered with the TPS at least 28 days prior to receiving the calls and had not given their prior consent to OVL to receive the calls.
Harm
The Commissioner was satisfied that the contravention was serious because there had been multiple breaches of regulation 21 f PECR by OVL’s activities over a 3.5 month period. OVL’s calls led to a significant number of complaints about unsolicited direct marketing calls.
The Commissioner concluded that it was reasonable to suppose that the period and extent of the contravention could have been far higher because those who went to the trouble to complain represent only a proportion of those who actually received calls.
Over a four year period OVL’s dialler made more than 30 million marketing calls, which were not screened against the TPS register once uploaded to the dialler, nor were there sufficient contractual terms in place to ensure the data’s veracity, where purchased. Of the 149,777 calls made over a 3.5 month period, an average of 37% of recipients were registered with the TPS for more than 28 days.
OVL continued to make repeated calls to subscribers even after they had registered with the TPS and/or informed OVL that they did not wish to receive calls.
OVL provided subscribers with misleading information regarding the nature of the call, which it described as a lifestyle survey.
Despite being given ample opportunity to provide evidence of consent to call individuals who had registered with the TPS, OVL failed to do so.
Aggravating factors
  • OVL was registered with the FCA as an appointed representative-introducer and individuals would expect that OVL would be aware of their conduct
  • OVL continued to make live marketing calls despite being aware of the ICO investigation and the reason for it, leading to further complaints
  • OVL failed to openly engage with the Commissioner, in particular it failed to provide evidence of consent to make calls to TPS registered numbers, despite advising the Commissioner that it could evidence consent
Penalty
The Commissioner fined OVL £70,000, which would be reduced by 20% to £56,000 if OVL paid before 20 July 2018.
British Telecommunications plc
18 June 2018
PECR – Regulation 22 (unsolicited e-mail communications)
Monetary Penalty Notice: £77,000
Factual background
British Telecommunications plc (“BT”) came to the attention of the ICO following a complaint made by an individual who had alleged that he had received an unsolicited direct marketing email from BT in December 2015, promoting their “My Donate” platform, having previously opted out of receiving direct marketing. The Commissioner opened an investigation, the results of which suggested that the same marketing email was sent to BT’s entire database.
The Commissioner wrote to BT on 27 February 2017 and the resulting correspondence revealed that only a portion of BT’s customer base had, in fact, received this email. However, it was disclosed that two further email campaigns had been launched, about which the Commissioner sought further information from BT. BT felt that the “My Donate” email was outside of the remit of the rules regarding direct marketing as it was a service message. BT indicated that this email did not contain an “opt out” link, and was sent to all customers who had consented to receiving direct marketing, and additionally to those who had not given explicit consent, or any consent at all. With regards to the other campaigns, BT accepted that the emails promoted the aims of specific charities, and said that they were therefore inly sent to customers who had opted-in to receiving such marketing. BT clarified that, for the purposes of “opting in”, they include not just those who have given explicit consent that they opt in, but also those customers who have previously failed to specifically opt out.
Further investigations revealed that, between 21 and 23 December 2015, 1,073,964 direct marketing emails from the “My Donate” campaign were sent to subscribers who had specifically opted out of receiving direct marketing, of which 1,064,728 were delivered. A further 2,410,957 direct marketing emails relation to the campaign were sent to those who failed to specifically opt out, with 2,390,223 of those being delivered.
As a total of the three marketing campaigns combined, between 21 December 2015 and 29 November 2016, BT delivered a total of 4,930,141 direct marketing emails to those subscribers who had either previously opted out of receiving such marketing, or had failed to specifically opt out.
ICO finding
The Commissioner found that BT had contravened regulation 22 of PECR as, between 21 December 2015 and 29 November 2016, BT used a public electronic telecommunications service for the purposes of instigating the transmission of 4,930,141 unsolicited communications by means of electronic mail to individual subscribers for the purposes of direct marketing contrary to regulation 22 of PECR.  
In all three of the marketing campaigns, the Commissioner was of the view that the content of the message fell within the definition of direct marketing, as set out under Section 11(3) of the DPA 1998.
The Commissioner was satisfied that BT did not have the consent of the subscribers to whom it had sent unsolicited direct marketing emails, and that the exception afforded under regulation 22(3) did not apply.
The Commissioner considered that BT did not deliberately contravene regulation 22 of PECR, but the contravention was negligent as BT knew, or ought reasonably to have known, that there was a risk that these contraventions would occur, especially given that the issue of unsolicited emails had been widely publicised by the media, and it would be reasonable to expect an organisation of BT’s size to be aware of their legal obligations in respect of its direct marketing.
The Commissioner considered that BT failed to take reasonable steps to prevent the contraventions, such as putting in place appropriate systems and procedures to ensure that it had sent marketing emails only to those who had specifically consented to receive them; and putting in place adequate categorisation systems to ensure that they were not presuming consent of those subscribers who had not specifically opted out.
Harm
The Commissioner is satisfied that the contravention was serious because, between 21 December 2015 and 29 November 2016, a total of 4,930,141 direct marketing emails were delivered to BT to subscribers without their consent
Penalty
The Commissioner fined BT £77,000, which would be reduced by 20% to £61,000 if BT paid before 20 July 2018.
Gloucestershire Police
11 June 2018
Breach of DPA 1998 – 7th Principle (Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data)
Monetary Penalty Notice: £100,000
Factual background
At the time of the contravention the Chief Constable of Gloucestershire Constabulary (“GC”) was tasked with the investigation of non-recent allegations of child abuse, relating to multiple victims. On 19 December 2016, an officer involved in the investigation sent an email update to 56 recipients by entering the recipients’ e-mail addresses into the 'to' field. The recipients of the e-mail could therefore see the full names and e-mail addresses of all the other recipients, who were individuals associated with GC's investigation, including victims of childhood abuse.
GC stated that the content of the email confirmed that the recipients "are interested parties in the investigation. That category included witnesses, journalists and lawyers". The email also made reference to a number of schools and social services that were being investigated in relation to the allegations of abuse.  
Of the 56 emails sent, all but one was considered deliverable. Three of those delivered were confirmed to have been successfully recalled. Therefore 56 names and email addresses were visible to up to 52 recipients (the exact number is unknown).
At the time of the incident the 'bcc' field was not a function automatically selectable on GC's email platform format. A staff member therefore had to adjust their own settings to be able to use this function. The 'bcc' field was inadvertently not used on this occasion. The full name and email address of each recipient was sent as a result of the officer involved having listed them as contacts on their Microsoft Outlook Account.
Once GC had realised its error, it recalled the email and, on 21 December 2016, sent an email apology to all recipients, requesting that the original email be deleted. GC also reported the matter to the ICO. One affected data subject contacted the officer involved regarding the incident and a personal apology was given.
ICO finding
GC failed to take appropriate technical and organisational measures against unauthorised processing of personal data in contravention of the seventh data protection principle at Part I of Schedule 1 to the DPA 1998. In particular:
  • GC failed to send a separate e-mail to each participant and, instead, used the bulk email facility;
  • GC failed to use the Microsoft Outlook ‘bcc’ function; and
  • GC failed to provide staff with any (or any adequate) policies, guidance or training on bulk email communication and the use of the bcc functionality in Outlook, particularly in cases where emails were being sent to multiple victims of sensitive or live cases.
In the circumstances, GC ought reasonably to have known that the participants’ names and email addresses would be vulnerable to a security breach, in the absence of appropriate technical and organisational measures.  Second, the Commissioner has considered whether GC knew or ought reasonably to have known that the contravention would be of a kind likely to cause substantial distress. She is satisfied that this condition is met, given that GC should have been aware that the e-mail addresses contained the full names of the participants. The recipients of the emails could infer that many of the other recipients were victims of child abuse. This information is confidential and sensitive personal data. Therefore, it should have been obvious to GC (in the context of the investigation) that such a contravention would be of a kind likely to cause substantial distress to the affected individuals.
Harm
The Commissioner is satisfied that the contravention identified above was serious. The disclosure identified those interested in an investigation including victims of non-recent child abuse. Recipients of the e-mails could infer from the email content that many of the other recipients were victims of child abuse. This information is confidential and sensitive personal data.
The contravention would cause distress to at least some of the participants who know that their full names have been disclosed to unauthorised individuals who could infer that they were victims of child abuse. Email addresses can also be searched via social networks and search engines. It would therefore be possible for the unauthorised individuals to identify some of the affected individuals.  The Commissioner also considers that such distress was likely to be substantial, having regard to the number of affected individuals and the confidential and sensitive nature of the personal data involved.
Aggravating factors
  • Some of the affected individual's right to anonymity for life has been removed by this incident
  • There is no guarantee that the information has been recovered in full
  • An ICO Audit in 2014 provided a limited assurance rating, and highlighted concerns about the quality, standard and content of training on certain key systems. This incident can be partially attributed to lack of policies and poor standards and inconsistency in relation to the provision of staff training
Mitigating factors
  • GC recognised its error and initiated prompt action to remedy the problem
  • GC has apologised to the affected individuals
  • GC self-reported the incident and fully co-operated with the ICO during its investigation
  • GC referred to officer involved to its professional standards department
  • Some of the recipients of the email were already known to each other via social networking and the media
  • The issuing of a penalty may result in a loss of trust by victims of crime who may be reluctant to report crimes of a similar nature
  • GC is in the process of improving its technical and organisational measures in order to prevent a similar occurrence in the future
The British & Foreign Bible Society c/o the Bible Society
31 May 2018
Breach of DPA 1998 – 7th Principle (Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data)
Monetary Penalty Notice: £100,000
Factual background
The British and Foreign Bible Society (“the Society”) translates and distributes the Bible in the UK and around the world, receiving donations from its supporters in the UK.
In 2009, a service account was created in an Organisational Unit (normally separate to the user accounts) of the Active Directory (“AD”) domain, with rights to logon to the network and access network files for printing. The password to the account was the same as the account username and, therefore, weak because the service account was not intended to be externally visible. At a later date (possibly because the scope of the service had been extended), the service account was given the additional user right to log on to the remote desk server (“RDS”), which enables home working for the AD user accounts. The password had not been changed.
Between 16 November 2016 and 1 December 2016, one or more attackers exploited this vulnerability using a ‘brute-force’ attack until they guessed the weak password and accessed the service account. On 1 December 2016, an attacker deployed ransomware on the RDS in the user profile of the service account. The ransomware encrypted approximately 1 million shared files held on the open network, some of which contained personal data, including 1,020 payment card details (card number, start/end date); 27,800 bank details (sort code and account number); and contact details in relation to 417,000 supporters (name, address, telephone number and email address) ("the supporter data").
Fortunately, the supporter data had been backed-up the day before the attack so the Society could not be held to ransom. However, the dharma variant of crisis ransomware used in the attack was able to transfer files out of the system and back to the attacker. There were also unusual peaks in outbound traffic during the attack. It is therefore considered likely that at least some of the files containing personal data held on the network were copied and extracted by the attacker.
The ransomware was not detected when it was first deployed to the RDS at 16:30 on 30 November 2016 because 'on access scanning' was not enabled. The ransomware was therefore able to operate until it was detected by the daily scan at 05.00 on 1 December 2016.
ICO finding
The Society failed to take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data in contravention of the seventh data protection principle at Part I of Schedule 1 to the DPA 1998. The Society did not have in place appropriate technical and organisational measures for ensuring so far as possible that such an incident would not occur, (ie for ensuring that the supporter data held in files on the network could not be accessed by an attacker using ransomware. In particular:
  • The Society's IT team did not have in place sufficient oversight of its network and underlying systems;
  • The Society did not identify the possible risks to its network when the service account was given an additional user right to logon to the RDS;
  • The Society did not remove all of the shared files from the open network to a secure location with limited access; and
  • The Society did not ensure that 'on access scanning' was enabled.
Harm
The contravention was serious due to the number of people affected, the nature of the data that was held on the network and the potential consequences.
Mitigating factors
  • The Society's network was subjected to a criminal attack.
  • The Society notified the 1,020 payment card holders and provided advice.
  • There is no evidence that the compromised personal data was in fact used for successful fraud activities.
  • Some of the compromised personal data was historic.
  • The primary account numbers had been redacted from 811 payment cards by a black marker pen.
  • The Society was co-operative during the Commissioner's investigation.
  • The Society has taken substantial remedial action since September 2016.
  • The Society has now achieved compliance with PCI DSS.
  • A monetary penalty may have a significant impact on the Society's reputation and (to an extent) its resources.
Independent Inquiry into Child Sexual Abuse
5 July 2018
Breach of DPA 1998 – 7th Principle (personal data must be kept secure)
Monetary Penalty Notice: £200,000Factual background
On 7 July 2014, the Independent Inquiry into Child Sexual Abuse (the “Inquiry”) was established to investigate the extent to which institutions had failed to protect children from sexual abuse. The Inquiry provided a forum for victims and survivors of child sexual abuse. Its participants were provided with regular email updates on the work of the Inquiry. On 27 February 2017, a staff member sent a blind carbon copy ("bcc") e-mail to 90 participants informing them about a forthcoming public hearing. He noticed an error in a link contained within the body of the email and sent a correction by entering the participant's e-mail addresses into the 'to' field, instead of the 'bcc' field, by mistake. The recipients of the email could therefore see the e-mail addresses of all the other recipients.
52 of the e-mail addresses contained the full names of the participants or had a full name label attached, and 23 included a partial name. The Inquiry was notified about the security breach by a recipient of the email who entered two further email addresses into the 'to' field before clicking on 'Reply All'. One was a generic contact email address for the Inquiry, and the other was the external email address of an Inquiry panel member.
The Inquiry then sent three emails to the participants asking them to delete the original email and not to disseminate it further. One of these emails generated 39 'Reply All' emails from 22 recipients, thereby exacerbating the security breach.
Subsequently, the Inquiry instructed the company that provided its IT services ("the Company") to create and maintain a mailing list for the participants. The Inquiry did not test the functionality of the mailing list before roll-out, and relied on advice provided by the Company that it would prevent individual recipients from replying to the entire mailing list. On 20 July 2017, a recipient clicked on 'Reply All' in response to an email from the Inquiry via the mailing list. This revealed the recipients’ e-mail addresses to the entire mailing list, contrary to the Company's advice. Four more participants revealed their email addresses to the entire mailing list by clicking on 'Reply All' when replying to the recipient's e-mail.
ICO finding
The Commissioner found that the Inquiry failed to take appropriate technical and organisational measures against unauthorised processing of personal data (DPA 1998– 7th Principle).
The Commissioner did not consider the contravention deliberate, but stated that the Inquiry should have known, or ought to have known, that there was a risk that this contravention would occur. The ICO found that the Inquiry had failed to take reasonable steps to prevent the contravention.
It was also noted that the Commissioner’s office issued two monetary penalty notices on 11 December 2015 (Bloomsbury Patients Network) and 4 May 2016 (Chelsea & Westminster Hospital NHS Trust), which raised awareness about the risks of sending bulk emails using the ‘bcc’ field.
Harm
The ICO was satisfied that the contravention was serious due to the number of affected individuals, the nature of the confidential and sensitive personal data involved and the potential consequences.
The Commissioner held that the contravention was likely to cause substantial damage or substantial distress, taking into account that the Inquiry disclosed the participant's email addresses in contravention of the forum registration form and its own Privacy Notice.The participants are likely to be distressed by a failure to process their data in accordance with their reasonable expectations. Further, the participants would be distressed by justifiable concerns that their data has been further disseminated, even if those concerns do not actually materialise. In this context it is important to bear in mind that the participants were suffering from the lifelong consequences of child sexual abuse, and therefore extremely vulnerable. They also had a right to lifelong anonymity.
Aggravating factors:
  • The Inquiry initially failed to take effective remedial action thereby exacerbating the security breach.
  • The Inquiry and the ICO received 22 complaints about the security breach.
Mitigating factors:
  • The Inquiry apologised to the affected individuals.
  • The Inquiry has now taken substantial remedial action.
  • A monetary penalty may have a significant impact on the Inquiry's reputation.
  • This security breach has been widely publicised in the media.
Penalty
The Commissioner fined the Inquiry £200,000, reduced by 20% to £160,000 if the Inquiry paid by 6 August 2018.
Lifecycle Marketing (Mother and Baby) Ltd
8 August 2018
DPA 1998 – 1st Principle (personal data must be processed fairly and lawfully)
Monetary Penalty Notice: £140,000
Factual background
Emma's Diary, Lifecycle Marketing (Mother and Baby) Ltd (“LCMB”) describes itself as "one of the UK's leading baby clubs for mums-to-be, providing expert advice on every aspect of pregnancy and childcare.” It describes its portfolio as including a database that helps marketers to target their promotional activities for baby-related brands.
In May 2017, LCMB supplied 1,065,220 records to Experian Marketing Services under a data supply agreement listing the Labour Party as Experian's client. The records comprised the personal data of both mothers and young children up to 5 years old. LCMB obtained that personal data via its online registration tool on its website and, via an offline registration form.
Experian, acting as an agent or processor on behalf of the Labour Party, loaded those records onto a database it hosted for the Labour Party to assist the Labour Party with a direct marketing email campaign for the general election in 2017.
Up until LCMB provided the Labour Party with records in May 2017, LCMB’s privacy notices gave no indication that personal data may be shared with the Labour Party, or any political party, for the purposes of any political marketing. Data subjects would therefore not have foreseen that their data would be shared with any political party.
ICO finding
The ICO found that LCMB failed to comply with its transparency duty in this case as it did not make available to the affected data subjects information about the potential disclosure of their personal data to the Labour Party or to anyone else who might use that data for the purposes of political marketing.
The ICO did consider LCMB’s actions deliberate and they should have known, or ought reasonably to have known, that there was a risk that this contravention would occur and that they would be of a kind likely to cause substantial damage or substantial distress. The ICO found that LCMB had failed to take reasonable steps to prevent the contravention.
Harm
The ICO was satisfied that the contravention was serious, due to the high number of affected (in excess of a million), the data subjects including young children, and the fact that the individuals were exposed to a significant loss of control over their data.
The ICO found that the contravention was of a kind likely to cause substantial distress.
Aggravating factors
  • Based on its data supply agreement with Experian, the Commissioner has concerns about the extent to which LCMB was, in practice, able to exercise or enforce control over the personal data it disclosed.
Mitigating factors
  • The Commissioner understands that this was the only occasion on which LCMB shared personal data with any political party or for the purposes of political marketing or political insight.
  • Experian has confirmed that on 28 June 2017 it destroyed all data provided by LCMB for use in the Labour Party's campaign.
  • The proposed penalty will have a financial impact on LCMB, and may also have some reputational impact.
Penalty
The Commissioner fined LCMB £140,000, reduced by 20% to £112,000 if LCMB paid by 6 September 2018.
AMS Marketing Ltd
27 July 2018
PECR – Regulation 21 (unsolicited telephone calls)
Monetary Penalty Notice: £100,000
Factual background
AMS Marketing Ltd’s (“AMS”) business included management consultancy services.
Between 1 October and 31 December 2017, AMS used a public telecommunications service for the purposes of making 75,649 unsolicited calls for direct marketing purposes to subscribers of the TPS.
The ICO received 71 complaints about AMS from individual subscribers of the TPS. The TPS received a further 32 complaints.
AMS confirmed that they purchased data lists from third parties, but that no TPS checks on that data were carried out by it, and that it would not be possible to attribute the complaints to a particular data set since records about the suppliers were not kept for longer than three months.
ICO finding
The ICO found that, in contravention of regulation 21 of PECR, AMS used a public telecommunications service for the purpose of making unsolicited calls to subscribers registered with the TPS for direct marketing purposes without the appropriate consent.
The ICO did not consider the contravention deliberate, but stated that AMS knew, or ought reasonably to have known, that there was a risk that this contravention would occur. Given that AMS relied heavily on direct marketing due to the nature of its business, the way in which it sourced its data, and the fact that the issue of unsolicited calls has been widely publicised by the media as being a problem. Also, AMS failed to take reasonable steps to prevent the contravention.
Harm
The Commissioner is satisfied that the contravention was serious. This is because there were multiple breaches of regulation 21 by AMS, arising from the organisation's activities over a 15 month period, and this led to a significant number of unsolicited direct marketing calls being made to subscribers who were registered with the TPS, and a substantial number of complaints being made as a result.
Penalty
The Commissioner fined AMS £100,000, reduced by 20% to £80,000 if AMS paid by 28 August 2018.
Everything DM Ltd
3 September 2018
PECR – Regulation 22
Monetary Penalty Notice:  £60,000
Factual background
Everything DM Ltd (“EDML”) is an independent direct marketing agency, which designs direct mail pieces and also offers campaign services.
EDML first came to the attention of the Commissioner following an investigation by 'Which? Magazine' ("Which") to investigate the marketing activities of list brokers in connection with early pension release schemes. EDML is one such list broker, and was one of the organisations being looked into by Which.
The Commissioner wrote to EDML on 24 January 2017 setting out their concerns regarding EDML’s compliance with the DPA 1998 and PECR, in light of the investigation carried out by Which. In their response on 13 February 2017, EDML explained that, as a list broker, they act as a data processor of the lists that they licence and only process the data on behalf of the list owners who are the data controllers.
During the course of the ICO’s investigation, the Commissioner also discovered that the third party privacy policies and fair processing notices, relied on by EDML for marketing campaigns, only reference data being passed to unspecified ‘partners’ and/or ‘third party companies’. EDML are not specifically named and did not appear to hold valid consent to engage in direct marketing, and the Commissioner was of the view that EDML relied wholly on indirect consent for their actions in relation to the licenced data.
Further enquiries with EDML revealed that they had sent a total of 1,502,364 direct marketing emails to individuals, of which 1,424,144 were delivered. No evidence of valid consent from the subscribers had been provided for any of the emails sent by EDML.
ICO finding
The ICO found that EDML used a public electronic telecommunications service for the purposes of transmitting 1,424,144 unsolicited communications without the requisite consent (regulation 22 of PECR).
The Commissioner considered that, in this case, EDML did not deliberately contravene regulation 22 of PECR. The Commissioner was satisfied that EDML knew, or ought reasonably to have known, that there was a risk that these contraventions would occur.
Harm
The ICO was satisfied that the contravention was serious. This is because, between the dates of 31 May 2016 and 30 May 2017, EDML sent a total of 1,424,144 direct marketing emails to subscribers without their consent.
The ICO also noted that the scale of the contravention could have been larger, as EDML had attempted to send a total of 1,502,364 direct marketing emails.
Aggravating factors
  • EDML took steps to conceal their identity from the recipient.
  • EDML failed to engage any remedial measures to bring their practices in line with lawful requirements.
  • EDML continue to provide email campaigns on behalf of their clients in breach of regulation 22.
Penalty
The Commissioner fined EDML £60,000, reduced by 20% to £48,000 if EDML paid by 3 October 2018.
Equifax Ltd
19 September 2018
Monetary Penalty Notice:  £500,000
Breach of DPA 1998 – 1st (personal data must be processed fairly and lawfully),  2nd (personal data must be processed for specific lawful purposes), 5th (personal data must not be kept for any longer than is necessary), 7th (personal data must be kept secure) and 8th (personal data must not be transferred outside the EEA without adequate protection) Principles
Factual background
Equifax Ltd (“Equifax”) is a major credit reference agency and states that it has ‘one of the largest sources of detailed consumer and business data in the UK’.
One of the products Equifax supplies to its clients is the Equifax Identity Verifier ("EIV"). The EIV allows Equifax’s clients to verify a consumer's identity online, over the telephone or in person, and is used, for instance, to comply with anti-money-laundering requirements. In order to verify an individual's identity, the client enters that individual's personal information on the system, which is then checked against other sources of data held by Equifax. Equifax has been supplying EIV in the UK since 2011.
Between 13 May and 30 July 2017, a cyber attack took place in the United States affecting Equifax’s parent company, Equifax, Inc., in which the affected data contained up to 15 million unique records of UK individuals. Equifax subsequently acknowledged that another UK dataset was affected by the breach, whereby 27,047 UK individuals had also been compromised; and passwords and obscured financial information of 14,961 individuals were also compromised.  The compromised personal data was held in a plaintext form and was not encrypted, contrary to Equifax’s applicable data handling standard.
Equifax, Inc. only informed Equifax of the data breach late on 7 September 2017 although:
  • The data breach was first discovered by Equifax Inc on 29 July 2017; and
  • Equifax, Inc. became aware that UK data might be affected in late August 2017.
ICO finding
The Commissioner found that Equifax contravened Data Protection Principles 1, 2, 5, 7 and 8.
Harm
The Commissioner considered that this contravention was serious due to the following factors:
  • The fact that Equifax contravened multiple data protection principles
  • The contravention entailed several systemic inadequacies in Equifax's technical and organisational measures for the safeguarding of the relevant personal data. Cumulatively, this multi-faceted contravention was extremely serious
  • A number of the inadequacies related to significant measures needed for a robust data management system
  • The multiple organisational inadequacies were particularly problematic in light of, inter alia, the nature of Equifax’s business, the volume of personal data being processed, and the number of data subjects involved
  • The Commissioner did not receive a satisfactory explanation for those individual and cumulative inadequacies
  • At least some of the inadequacies appear to have been in place for a long period of time without being discovered or addressed
  • The inadequacies put the personal data of millions of data subjects at risk
  • The period of vulnerability for the affected UK data took place over an extended period of time and the data breach was not detected promptly. It was not reported to the Commissioner until over two months after the event
  • In respect of the UK records that were compromised, there were, and remain, significant opportunities for misuse. The relevant personal data is liable to be useful to scammers and fraudsters.
Aggravating factors
  • The security breach impacted many more individuals than just the UK data subjects. 146 million data subjects' personal data was compromised and the data of millions more was put at risk.
  • Those risks appear to have persisted for a prolonged period of time given the systemic inadequacies.
  • Some of the failures concern failures to ensure appropriate security measures, such as implementation of patches and the encryption of personal data and the appropriate securing of passwords.
  • The data breach exploited a known vulnerability and therefore could potentially have been prevented. In particular, the security breach arose out of a failure to implement a patch to the affected system(s), which it failed to identify as vulnerable.
  • Equifax's contractual arrangements with Equifax, Inc. were inadequate in material respects.
Mitigating factors
  • The relevant data was, for the most part, not of itself highly sensitive in terms of its impact on data subjects' privacy.
  • The affected data subjects, as well as Equifax, have been the victim of the malicious actions of third party individuals.
  • Equifax proactively reported this matter to the Commissioner, promptly after learning about it from Equifax, Inc., albeit a significant time after the actual data breach.
  • Equifax deleted, at least, some of the data remaining in the US environment following migration of EIV to the UK.
  • Equifax and Equifax, Inc. took steps to minimise potentially harmful consequences, such as engaging specialist IT security experts to manage the data breach, offering free credit monitoring services to UK data subjects affected by the breach, and working with the relevant regulators in the US, Canada, and the UK.
  • Equifax and Equifax, Inc. have implemented certain measures to prevent the recurrence of such incidents. For example, Equifax, Inc. has increased its system scanning capability and is now storing passwords in a cryptographic hash value, whilst strengthened procedures are now in effect.
 Penalty
The Commissioner fined Equifax £500,000, reduced by 20% to £400,000 if Equifax paid by 18 October 2018.
Bupa Insurance Services
26 September 2018
Breach of DPA 1998 – 7th Principle (personal data must be kept secure)
Monetary Penalty Notice: £175,000
Factual background
Bupa Insurance Services (“Bupa”) manages domestic and global insurance policies.  Bupa Global customers are able to access healthcare services in more than one country, and typically work abroad or travel on a regular basis.
On 16 June 2017, a staff member in Bupa Global was informed by an external partner that personal data of Bupa Global’s customers was being offered for sale on the popular dark web site, AlphaBay Market.
Following Bupa’s investigation into the matter, it was discovered that between 6 January 2017 and 11 March 2017, a member of Bupa’s Partnership Advisory Team (“AA”) had extracted the relevant personal data of 547,000 data subjects by attaching the data to six emails in zip files and sending it to his personal account. It was further uncovered that between 19 December 2013 and 18 January 2017, AA saved three more data sets to his desktop, including credit card details for 15 data subjects.
On 12 July 2017, Bupa began a communication programme to alert all of its customers for the potential for scam messages and calls and received approximately 191 complaints from Bupa Global customers about the incident. In August 2017 Bupa commissioned an external review of the incident which found that the security controls to protect customer data against the threat of a rogue employee were weak at the time of the incident.
ICO finding
The ICO found that Bupa did not have the appropriate technical and organisational measures for ensuring so far as possible that such an incident would not occur (DPA 1998 – 7th Principle).
The ICO also held that Bupa knew or ought reasonably to have known that there was risk that the contravention would occur. The ICO further found that Bupa had failed to take reasonable steps to prevent the contravention.
Harm
The ICO was satisfied that the contravention identified was ‘serious’ due to the following:
  • The contravention comprised a number of material inadequacies in Bupa’s technical and organisation measures for the safeguarding of the extracted data.
  • The ICO found that the inadequacies were systemic, rather than arising from any specific incident or incidents.
  • Large volumes of personal data were accessed and could be exported swiftly by 20 members of Bupa’s Partnership Advisory Team to the customer relationship management system to any device.
The ICO held that the contravention would likely cause substantial distress, taking into account:
  • some of the personal data could be used for fraud and/or criminal activity;
  • any communications that were made would likely result in recipients providing their bank details to scammers.
The ICO recognised that distress could be caused to Bupa’s customers as they would be uncertain about how the incident may adversely affect them, particularly in the context of the dark web which can facilitate anonymous communications and disguise criminal activity.
Aggravating factors
  • Up to 1.5 million data subjects’ personal data was put at risk and these risks appeared to have persisted for a long period of time.
  • While additional controls were promptly put in place by Bupa which would prevent a recurrence of the data breach caused by AA, 100 days after the incident it was still possible for a rogue employee to extract personal data from Bupa’s system through other means.
Mitigating factors
  • The relevant personal data was not itself highly sensitive in terms of its impact on data subjects’ privacy.
  • The affected data subjects, as well as Bupa, have been the victims of the malicious actions of one individual acting in contravention of Bupa’s policies.
  • The rogue employee was dismissed, and Sussex police has issued a warrant for his arrest regarding an offence under section 55 DPA 1998, although his current whereabouts are unknown.
  • The data controller proactively report the matter to the ICO and other relevant regulators.
  • Bupa took steps to minimise potentially harmful consequences and treated the incident very seriously.
  • There is no evidence that the relevant personal data was in fact used for successful fraud activities.
  • There is no evidence that the personal data was sold to any unknown third party.
  • The incident was widely publicised in the media.
  • Bupa agreed to participate in the ICO’s annual audit programme.
  • Bupa has now implemented certain measures to prevent the recurrence of an incident like this.
Penalty
The Commissioner fined Bupa £175,000, reduced by 20% to £140,000 if Bupa paid by 26 October 2018.
Oaklands Assist UK Ltd
26 September 2018
Monetary Penalty Notice: £150,000
Breach of PECR – Regulation 21 and 24 (unsolicited telephone calls)
Factual background
Oaklands Assist UK Ltd (“Oaklands”) is an advertising agency.
On 21 February 2018 it was confirmed that there were a total of 246,459 calls made between the period of 5 May 2017 and 12 July 2017, of which 63,724 calls were made to subscribers who had registered with the TPS not less than 28 days prior to receiving a call.  The Commissioner further determined that, as a result of the direct marketing calls, a total of 59 complaints were made, with 28 of those being made directly via the ICO’s online reporting tool, and a further 31 being made to the TPS.
The Commissioner sent an initial investigation letter to Oaklands on 24 August 2017 setting out concerns regarding Oaklands’ compliance with PECR. Oaklands did not respond to this initial letter and as a result the Commissioner served Oaklands with an Information Notice. Oaklands explained that they had very little of the information requested in the Information Notice. Crucially Oaklands claimed not to have records of the numbers dialed, volumes of calls made, or details of where the data they used had been obtained from.
ICO finding
The Commissioner found that Oaklands used a public telecommunications service for the purposes of making 63,724 unsolicited calls for direct marketing purposes in contravention of regulation 21 of PECR.
The ICO did consider the contravention to be deliberate in this case, as the inadequacies found were more than matters of serious oversight and Oaklands should have known, or ought reasonably to have known, that there was a serious risk that the contraventions would occur.
Harm
The Commissioner was satisfied that the contravention was serious. This is because there were multiple breaches of regulation 21 of PECR, which led to significant amount of complaints as a result.
The ICO was also satisfied with the evidence from the complaints, which suggested that the callers from Oaklands provided false company names to the subscribers, which the ICO concluded was an attempt to conceal the company’s identity when engaging in their direct marketing activity (regulation 24 of PECR).
Aggravating factors
  • The Commissioner found that Oaklands were almost thoroughly uncooperative and failed repeatedly throughout the investigation to engage with the Commissioner, responding only towards the end when there was an indication that criminal proceedings would be initiated against them.
  • When Oaklands did respond they provided vague and obstructive answers, which failed to address any of the Commissioner's concerns.
  • The Commissioner has had to object to Oaklands being struck off the register with Companies House following their apparent cessation of business in light of the Commissioner's investigation, thus demonstrating Oaklands’ efforts to escape regulatory action.
Mitigating Factors
  • There were no mitigating factors.
Penalty
The Commissioner fined Oaklands £150,000, reduced by 20% to £120,000 if Oaklands paid by 26 October 2018.
Heathrow Airport Limited
3 October 2018Breach of DPA 1998 - 7th Principle (personal data must be kept to secure)
Monetary Penalty Notice: £120,000
Factual background
Heathrow Airport Limited (“HAL”) is one of the UK’s largest airports, and the world’s seventh busiest airport.
On 16 October 2017, a member of the public found a USB memory stick in Kilburn, West London. The individual took the USB memory stick to a local library where they plugged it into a computer and accessed files contained on the memory stick, which were not encrypted or password protected. The USB stick held 76 folders and over 1,000 files originating from HAL and approximately 1 per cent of the information comprised personal data, including sensitive personal data. Following discovery of the information, the individual contacted a local newspaper and handed over the USB stick on 21 October 2017. On 26 October 2017, the newspaper informed HAL that it was in possession of the USB stick, which it returned to HAL the following day. HAL then reported the matter to the police. However, the newspaper had already taken and retained a copy of the USB stick without HAL’s knowledge or consent and declined to return or destroy the copy despite requests by HAL.
After being contacted by the Commissioner on 30 October 2017 about the matter, following the Commissioner’s awareness of the incident via the media, HAL completed a breach notification form on 7 November 2017. From HAL’s investigation, it appeared that the USB stick was lost in transit when the employee security trainer was commuting to or from their place of work.
In response to the incident, on 31 October 2017, a company-wide instruction was issued directing staff to locate any memory sticks in their possession, delete any files contained on the devises and then transfer the data or destroy the device according to advice provided by HAL’s IT department.
HAL further explained to the Commissioner that there is limited data protection training in place, which an estimated 2% of HAL’s 6,500 employees had undertaken, being those deemed to be at greatest risk of exposure to personal data. HAL also explained that this data protection training was not in place for security trainers, including the staff member involved in the incident at hand.
ICO finding
The Commissioner found that HAL failed to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data (DPA 1998 – 7th Principle).
The Commissioner further found that HAL did not take steps to ensure that personal data on its network was secured to a suitable standard, due to gaps in the technical and organisational measures in place at the time of the incident, in particular:
  • HAL failed to have in place any, or any adequate, technical controls to prevent downloading of personal data onto unencrypted removable media.  
  • HAL failed to have in place adequate organisational measures to prevent staff using personal devices to remove personal data from HAL systems.
  • HAL had no control as to whether devices used were secured to an appropriate standard and had no record or control over the number of devices used containing personal data.
  • HAL failed to encrypt or password protect the data contained on the USB stick.
  • HAL failed to provide staff with any or any sufficient training in relation to data protection and information security.
  • HAL failed to monitor and ensure compliance with existing policies and guidance in relation to the use of removable media.
Harm
The Commissioner was satisfied that the contravention was serious because the USB stick contained personal and sensitive personal data, including passport details, nationality and trade union membership.
The Commissioner further found that the contravention was serious as insufficient measures were in place to control the use of removable media to transfer personal data held on its systems.
Aggravating factors
  • The contravention does not appear to be contained to one service area, suggesting long term and sustained risk to personal data across the organisation.
  • Data protection should have been high on HAL's agenda, given the industry and personal data involved.
  • Only two per cent of staff (notwithstanding that these were those identified by HAL as having greatest exposure to personal data) had received training on data protection and information security - the lowest the Commissioner had seen in her experience.
  • Whilst measures in respect of containment of the incident were actioned promptly, remedial measures in respect of systemic failings across HAL were not as compliant as the ICO would have expected.
Penalty
The Commissioner fined HAL £120,000, reduced by 20% to £96,000 if HAL paid by 5 November 2018.
Boost Finance Limited (MPN)
3 October 2018
Breach of PECR – Regulation 22 (unsolicited email communication)
Monetary Penalty Notice: £90,000
Factual background
Boost Finance Limited (“BFL”) is a lead-generator in the finance sector.  Its main business is biddable media, but it also conducts marketing through contractual arrangements with selected marketing affiliates.
Between 1 January 2017 and 20 September 3017, BFL (trading as findmeafuneralplan.com) instigated, via its appointed affiliates, the transmission of approximately 4,396,780 unsolicited marketing emails promoting funeral plans. The emails were sent to individuals who had subscribed to a number of websites operated by BFL's affiliates.
As at 7 November 2017, the Commissioner had received six complaints from individuals who had received marketing emails promoting funeral plans from BFL. BFL submitted that there were only four complaints, as two were duplicated, although the Commissioner indicated that a small reduction in the number of complaints did not materially affect the decision.
The ICO’s investigation revealed that, in respect of all but one affiliate website, the information provided to subscribers about marketing, whilst in some cases making generic mention of pre-paid funeral plan providers, did not specifically name BFL or any of its trading styles, and only listed ‘sponsors’, ‘related partners’, ‘selected marketing partners’ or similar generic descriptions.
In respect of the website, which named a trading style of BFL, this information was embedded in a very lengthy list of organisations from whom individual subscribers may expect to receive marketing communications. Further, the majority of the websites did not provide subscribers with the opportunity to opt out of third party marketing. For those which provided a 'soft opt-in', the information was not always readily available and did not allow subscribers to specify means of receipt.
ICO finding
The Commissioner found that, between 1 January and 20 September 2017, BFL, via its affiliates, instigated the transmission of approximately 4,396,780 unsolicited communications over a public electronic communications network by means of electronic mail to individual subscribers for the purposes of direct marketing (regulation 22 of PECR).
The ICO considered that BFL ought reasonably to have known that there was a risk that this contravention would occur, given that BFL relied heavily on direct marketing due to the nature of its business.
Harm
The ICO was satisfied that the contravention was ‘serious’ because BFL, via its affiliate marketers, sent direct marketing emails to subscribers without their consent, over a 9 month period resulting in complaints to the ICO.
Aggravating factors
  • There is evidence of a lack of due diligence on the part of BFL, which could have identified inadequate privacy policies, thereby preventing the contraventions.
  • There is evidence of a loss of control of personal data by BFL leaving individuals to become exposed to high volumes of unsolicited marketing emails. Indeed, BFL informed the Commissioner during her investigation that, as its email marketing campaigns were conducted by third party marketing companies on a performance basis, they had no control over the volume of messages sent.
  • The sensitive nature of the emails meant there was potential for high detriment.
  • BFL continues to operate under other live trading names, conducting marketing campaigns for other sectors.
Mitigating factors
  • BFL has ceased its funeral planning marketing campaign.
Penalty
The Commissioner fined BFL £90,000, reduced by 20% to £72,000 if BFL paid by 5 November 2018.
Facebook Ireland Ltd
24 October 2018
Breach of DPA 1998 – Principles 1 (personal data must be processed fairly and lawfully) & 7 (personal data must be kept secure)
Monetary Penalty Notice: £500,000
Factual background
In 2013 Dr Aleksandr Kogan created an app named “thisisyourdigitallife” (the “App”) for use in conjunction with the Facebook platform. Dr Kogan acted both in his own capacity and also through his company, Global Science Research Limited (“GSR”).
Dr Kogan and/or GSR were able to obtain personal data both from individuals who opted to use the App, and from Facebook friends of those users. The App was able to obtain various information from the individuals who opted to use the App, including (but not limited to) their public Facebook profile, including their name and gender, birthdate, news feed posts, email addresses, friends lists and photographs in which the users were tagged. The App collected personal data of approximately 87 million users worldwide, with at least one million being UK Facebook users.
Where the App collected data about the Facebook friend of the App’s users, those friends were not informed that the App was being given access to that data nor where they asked to consent to such access.
Dr Kogan and/or GSR shared personal data about both users of the App and their Facebook friends with Toronto Laboratory for Neuroscience (University of Toronto), Euonia Technologies Inc. and SCL Elections Limited (which controls Cambridge Analytica). At least some of the data shared with these companies is likely to have been used in connection with or for the purposes of political campaigning.
On 6 May 2014, Dr Kogan gave an undertaking to Facebook that the App was being used for research purposes only, and not for commercial purposes. However, Facebook took no steps, or no sufficient steps, to ensure that the App was being operated consistently with the undertaking.
In breach of the undertaking, Dr Kogan and/or GSR marketed research on a commercial basis, derived from personal data collected by the App. The Facebook Companies terminated the App’s access rights to the Facebook Login API, and commenced an investigation into the operation of the App after becoming aware of the breach of the undertaking following an article in the Guardian Newspaper on 11 December 2015.
ICO finding
The Commissioner found that Facebook unfairly processed the personal data of users of the Facebook site, including those who were users of the App; those who exchanged Facebook messages with users of the App; and those who were Facebook friends with users of the App. In addition, Facebook allowed the App to operate in such a way that it collected personal data about Facebook friends without those friends being informed that such data was being collected, and without asking them to consent to such data collection (DPA 1998 – 1st Principle).
The ICO further found that the Facebook Companies failed to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data of the same categories of individuals mentioned above. The processing that took place by Dr Kogan and/or GSR was both unauthorised and unlawful and the Facebook Companies took no adequate steps to guard against such processing (DPA 1998 – 7th Principle).
Harm
The Commissioner was satisfied that the convention was serious because the contravention affected a very large number of individuals, a very substantial volume of personal data was shared with third parties and personal data of UK users was put at serious risk of being shared with third parties and of being used in connection with political campaigning.
The Commissioner considered that the contravention would likely cause substantial distress because Facebook had permitted and/or enabled the App to process their data in contravention of the relevant legislation, and Facebook had failed to take adequate steps to protect their personal data.
Aggravating factors
No mention of aggravating features.
Mitigating factors
  • Once the Facebook Companies became aware of the matters raised in the newspaper article, the immediately terminated the App’s access to the Facebook Platform and investigated the way in which the App had been operated.
  • During the course of the Commissioner’s investigation, the Facebook Companies were cooperative, including by providing detailed answers to successive Information Notices served by the Commissioner.
Penalty
The Commissioner fined the Facebook Companies £500,000, reduced by 20% to £400,000 if the Facebook Companies paid by 23 November 2018.
ACT Response Ltd
29 October 2018
Breach of PECR – Regulation 21 (unsolicited telephone calls)
Monetary Penalty Notice: £140,000
Factual background
ACT Response Ltd (“ACT”) is a provider of security systems to homes and businesses.
In February 2018 the Commissioner began an investigation into ACT as a result of a high volume of complaints about unsolicited direct marketing calls being made by the company. ACT explained to the Commissioner that marketing calls were made on its behalf by a sister company, ACT Excel Ltd. The data used to make the marketing calls was obtained from ‘the telephone directory’. Whilst that data was screened against an internal suppression list, it was not screened against the TPS register. Call logs obtained from ACT revealed that it had made 609,797 unsolicited marketing calls between January 2017 and February 2018.
Between 1 January 2017 and 28 February 2018, 128 complaints were made to the TPS, or direct to the Commissioner, about unsolicited direct marketing calls made by ACT. All of these complaints were made by individual subscribers who were registered with the TPS. Upon receipt of a complaint, the TPS informed the company concerned and invite their response. ACT responded to the majority of those TPS complaints by citing ‘human error’.  ACT explained to the Commissioner that the person responsible for dealing with TPS complaints had ‘been instructed to add complainant's details to the suppression list, rather than dealing in detail with the substance or the cause of the complaint itself.’
ICO finding  
Between 1 January 2017 and 28 January 2018 ACT instigated the use of a public telecommunications service for the purpose of making 496,455 unsolicited direct marketing calls to subscribers, where the number allocated to the subscriber in respect of the line called was a number listed on the register of numbers kept by the Commissioner (regulation 21 of PECR).
Harm
The Commissioner was satisfied that the contravention was serious due to there being multiple breaches over a 14 month period leading to a significant number of complaints being made as a result.
Aggravating factors
  • ACT failed to take earlier action despite the number of TPS complaints made over a 14 month period.
Mitigating factors
  • ACT ceased telemarketing activities as of the commencement of the Commissioner's investigation.
Penalty
The Commissioner fined ACT £140,000, reduced by 20% to £112,000 if ACT paid by 28 November 2018.
Secure Home Systems Ltd
29 October 2018
Breach of Regulation 21 – PECR (unsolicited telephone calls)
Monetary Penalty Notice: £80,000
Factual background
Secure Home Systems Ltd (“Secure HS”) is a provider of home security systems.
In October 2017 the Commissioner received a high volume of complaints about unsolicited direct marketing calls being made by the Secure HS. Secure HS explained to the Commissioner that they purchased data from various third parties, which they added to a central data file and used to make marketing calls. Secure HS further explained that they had received assurances that the data purchased had been screened against the TPS register. However, the Commissioner found that Secure HS did not have contracts with any of the third parties and had not carried out due diligence into the companies selling the data nor into the source or quality of the data.
The Commissioner’s analysis of the data provided confirmed that, between 1 September 2017 and 31 December 2017, Secure HS had made calls to 84,347 subscribers who were registered with the TPS. Between 6 January 2016 and 28 February 2018, 268 complaints were made to the TPS or direct to the Commissioner about unsolicited direct marketing calls made by Secure HS. All of these complaints were made by individual subscribers who were registered with the TPS.
ICO finding
The ICO found that Secure HS used a public telecommunications service for the purpose of making 84,347 unsolicited calls for direct marketing purposes to subscribers registered with the TPS (regulation 21 of PECR).
Aggravating factors
  • There were no aggravating factors.
Mitigating factors
  • Secure HS stopped making unsolicited marketing calls and closed its calls centres in early 2018, shortly after the commencement of the Commissioner's investigation.
Penalty
The Commissioner fined Secure HS £80,000, reduced by 20% to £64,000 if Secure HS paid by 28 November 2018.
Solartech North East Ltd
23 November 2018
Breach of PECR,  Regulation 21 (unsolicited telephone calls)
Monetary Penalty Notice: £90,000
Factual background
Solartech North East Ltd’s (“SNEL”) business involved installing solar energy equipment, with its main trading activity involving windows, doors and roofing.
In February 2014, SNEL came to the attention of the ICO when a monthly TPS report showed that a number of complaints had been made about SNEL. Following communication with SNEL, the company explained that they had purchased the data from a third party and had assumed that it was TPS checked. SNEL was placed under a monitoring period of three months.
In March 2016, SNEL was again brought to the ICO’s attention, via a monthly TPS report, which contained further complaints about the company. SNEL attended a compliance meeting with the ICO and agreed to carry out a number of actions to remedy its non-compliance with Regulation 21 of PECR. SNEL was, again, placed on a period of monitoring, this time six months, over which time there was a slight decrease in the number of complaints received.
On 13 April 2017, the ICO informed SNEL that it would be subject to a further three month monitoring period. During that period, there was an increase in the number of TPS complaints received about SNEL.
An initial analysis of those complaints showed that, between 1 January 2017 and 30 June 2017, a total of 39 complaints were received by the TPS and a further 9 received by the ICO’s online reporting tool in respect of individuals who had received unsolicited direct marketing calls from SNEL, despite being registered with the TPS.
ICO finding
The Commissioner found that SNEL did not have the appropriate consent to make unsolicited direct marketing calls to subscribers registered with the TPS (regulation 21 of PECR).
The Commissioner did not consider the contravention to be deliberate, however SNEL should have known, or ought reasonably to have known, that there was a risk this contravention would occur. The ICO also found that SNEL had failed to take reasonable steps to prevent the contravention from taking place.  
Harm
The Commissioner was satisfied that the contravention was serious because there were multiple breaches over a 6 month period, and this led to a significant number of complaints about unsolicited direct marketing calls to the TPS and the ICO.
In addition, the Commissioner further concluded that it would be reasonable to suppose that the contravention could have been far higher, because those who went to the trouble to complain represent only a proportion of those who actually received calls.
Based upon the sample of calls analysed for May and June 2017, an average of 75 per cent were registered with the TPS for more than 28 days, which would suggest that the amount of calls to TPS registered numbers is likely to be significantly higher.
Aggravating factors
  • During the course of the investigation, the network provider for a number of CLIs confirmed that, in May and June 2017, 75% of 100,103 calls sampled were registered with the TPS for more than 28 days. In addition, one individual reported to the TPS that they had continued to receive calls on numerous occasions despite having registered with the TPS and SNEL having previously confirmed the number was suppressed. This suggests little or no regard for the PECR regulations or TPS registration.
  • SNEL did not screen data despite claiming to hold a TPS licence, and there is no evidence that a TPS licence had been purchased.
  • SNEL failed to heed ICO advice surrounding key areas provided in May 2014 and September 2016.
  • ICO monitoring has been in place at various periods between 2014 and 2018.
  • SNEL purchased third party data without undertaking any or any sufficient due diligence, clearly indicating that any steps and measures in place to prevent such contraventions were deficient.
  • SNEL continued to make live marketing calls despite being aware of the ICO investigation and the reason for it. This led to 25 further complaints to the TPS and the ICO.
Mitigating factors
  • There has been a reduction in the overall number of complaints since January 2018.
Penalty
The Commissioner fined SNEL £90,000, reduced by 20% to £72,000 if SNEL paid by 27 December 2018.
DM Design Bedrooms Ltd
23 November 2018
Breach of PECR – Regulation 21 (unsolicited telephone calls)
Monetary Penalty Notice: £160,000
Factual background
DM Design Bedrooms Ltd’s (“DMDB”) business involves providing kitchens, bedrooms and bathrooms.
Between 1 April 2017 and 30 September 2017, 79 complaints were received by the TPS about DMDB, with a further 20 received by the ICO’s online reporting tool between 1 April and 31 October 2017.
DMDB explained that they operate a suppression list that they screen against the TPS register, which is downloaded every month. Upon further investigation by the ICO, it was found that the last time DMDB downloaded the TPS register was in March 2017.
DMBD explained that the current TPS register was held within their dialler system and was checked automatically for them by a third party called DXI Limited (“DXI”). The ICO served a Third Party Information Notice on DXI, who provided figures showing that, between 1 April 2017 and 30 November 2017, 4,726,964 calls were made by DMDB, of which 1,661,607 were made to those who had registered with the TPS.
ICO finding
The ICO found that DMDB did not have the appropriate consent to make unsolicited direct marketing calls to subscribers registered with the TPS.
The ICO considered the contravention deliberate and held that the inadequacies were more than matters of serious oversight. The ICO further held that, despite being issued with a monetary penalty of £90,000 on 18 March 2013, DMDB’s current breaches illustrated a clear lack of remedial measures being taken to address their compliance issues.
Harm
The ICO was satisfied that the contravention was serious due to there being multiple breaches over an eight month period and the number of complaints received. In addition, there was evidence of repeat calls despite requests of the recipients to be removed from DMDB’s marketing lists and the complaints indicated that the recipients suffered rude and potentially intimidating behaviour from DMDB’s callers.
There was no evidence of sufficient contractual terms between DMDB and the data suppliers and any due diligence checks being carried out on the data received to ensure that the data purchased was fit for purpose and compliant with PECR.
Aggravating factors
  • The ICO did not consider any aggravating features.
Mitigating factors
  • The ICO did not consider any mitigating features.
Penalty
The Commissioner fined DMDB £160,000, reduced by 20% to £128,000 if DMDB paid by 27 December 2018.
Uber B.V., Uber London Limited, Uber Britannia Limited, Uber Scot Limited, Uber NIR Limited
26 November 2018
Breach of DPA 1998 – 7th Principle (personal data must be kept secure)
Monetary Penalty Notice: £385,000
Factual background
Uber is a global transport network company, which operates through a telephone application.
Amazon Web Service’s Simple Storage Service (“S3”) is a cloud-based storage service that enables businesses to store large quantities of data in a collection of cloud-based ‘buckets’. Personal data belonging to individuals in the UK was transferred to Uber US by Uber BV via a data processing agreement. Uber US serves as a data processor to Uber BV and Uber UK, and used S3 as one of the systems to store the data received.
From 13 October 2017 to 15 November 2017, Uber US’s stored data on the S3 system was subject to a cyberattack and the attackers were able to download the contents of 16 files. Personal data belonging to Uber users in the UK was contained on the downloaded files, including information such as full names, email addresses and the initial sign up locations for users who had switched on the location data functionality. Personal data of drivers were also contained in the files, including drivers licence numbers and how much the drivers were paid each week.
After alerting Uber US to the attack, the attackers demanded a payment of at least $100,000, and implied that the data would not be destroyed until payment had been received. In response, Uber US paid the monies, took steps to put an end to the attack and obtained assurances from the attackers that the downloaded data had been destroyed. Uber explained to the Commissioner that since the attack a number of additional measures have been completed, including the adoption of multifactor authentication for access to the S3 data store.
ICO finding
The ICO found that Uber did not have the appropriate technical and organisational measures for ensuring, so far as possible, that such an incident would not occur (DPA 1998 – 7th Principle)
In particular:
  • Uber US’s policies and practices did not adequately cover the risk presented by the use of third party platforms without multifactor authentication.
  • Uber US treated the incident as a bug bounty rather than a security breach, which demonstrated an inadequacy in its decision making.
Harm
The ICO was satisfied that the contravention was serious because the breach involved a large amount of personal data and Uber only took steps to institute additional fraud monitoring of the affected accounts 12 months after the breach.
The ICO also considered that the contraventions were likely to cause substantial distress and the delay in reporting the breach was likely to have compounded the distress that affected individuals suffered.
The ICO further considered that Uber knew our ought to have known that there was a risk that the contraventions would occur and would cause substantial distress, and Uber failed to take reasonable steps to prevent such a contravention.
Aggravating factors
  • Uber did not notify the Commissioner of the breach upon learning of it. Instead, the Commissioner became aware that the security breach had taken place via reports in the media.
  • None of the data subjects were notified that their personal data had been compromised at the time of the breach.
  • There was a significant delay in the Commissioner and the data subjects being notified of what had occurred.
Mitigating factors
  • Uber was not aware that the security breach had occurred and was therefore not in a position to report the breach to the Commissioner.
  • There was no evidence that the compromised personal data was used for successful identity theft or fraud activities.
  • The location history, location over time, payment card numbers, bank account numbers, date of birth, or government or tax identifiers were not identified in the compromised data.
  • Uber took substantial and prompt remedial action to prevent a recurrence of this type of incident.
  • The incident giving rise to the breach was a cyberattack on a third party system and the integrity of Uber’s internal systems was not compromised.
Penalty
The Commissioner fined Uber £385,000, reduced by 20% to £308,000 if Uber paid by 2 January 2019.
Tax Returned Limited
10 December 2018
Breach of PECR – Regulation 22 (unsolicited marketing texts)
Monetary Penalty Notice: £200,000
Factual background
TRL first came to the attention of the Commissioner following review of its monthly threat assessment for 'July - August 2017' which showed a number of complaints had been received about unsolicited direct marketing messages advertising the services of TRL, together with a quantity of complaints being made to the ICO's own online reporting tool.
The ICO sent an initial investigation letter on 24 October 2017 asking questions about TRL's practices, and setting out the Commissioner's concerns regarding TRL's compliance with the DPA and PECR. As a part of its response, TRL indicated that it markets its services in part by sending direct marketing text messages; a portion of these messages are sent via a specific third party service provider (referred to hereafter as a "TPSP"), which send direct marketing messages to prospective clients at the instigation of TRL (referred to by TRL as "Type 2 messages").
TRL confirmed that a total of 22,700,000 of these Type 2 messages were sent over the period of the contravention, with 14,800,000 of those being received by subscribers. TRL indicated that for the Type 2 messages they do not themselves purchase any data, nor do they directly obtain any consent of recipients, or engage in the actual sending of the messages; rather they task the TPSP to obtain this data, and to send direct marketing messages on behalf of TRL to subscribers who have purportedly opted-in to receive such marketing (i.e. relying on indirect consent).
TRL provided the Commissioner with a copy of an 'Insertion Order' detailing a purchase agreement between themselves as advertiser and the TPSP as the publisher. Whilst this 'Insertion Order' does contain a single sentence stating 'data used by Mobivate Limited is fully opted in for the Tax Returned offer', it contains no further details and the Commissioner is not satisfied that this is sufficient for TRL to meet its due diligence obligations. There exists no other form of contract between the parties, with TRL relying chiefly on assurances of the TPSP as to the nature and validity of the data used.
TRL provided the Commissioner with details of some of the consents on which they purport to rely for the complaints received, with reference to the websites from which these consents were obtained and timestamps for when they were given by the individual subscribers. For some of the complaints, TRL indicated that they would be unable to supply any evidence of consent since the organisation/website from which it had been obtained had since ceased trading.
During the investigation the Commissioner requested, and was provided with, copies of the Privacy Policies and Fair Processing Notices for a number of these websites where consent had purportedly been obtained.
ICO finding
Between the dates of 1 July 2016 and 20 October 2017, TRL instigated the transmission of 14,800,000 unsolicited communications by means of electronic mail to individual subscribers for the purposes of direct marketing contrary to regulation 22 of PECR.
On review it was apparent to the Commissioner that the wording of the policies was not sufficiently clear and precise so as to give the subscriber a reasonable expectation that they would receive direct marketing text messages advertising the services of TRL, moreover, in the majority of cases it was noted that neither TRL nor their TPSP were listed as potential third parties with whom data would be shared at all.
Harm
The Commissioner is satisfied that the contravention identified above was serious. This is because between the dates of 1 July 2016 and 20 October 2017, a total of 14,800,000 direct marketing text messages were delivered at the instigation of TRL to subscribers without their consent. This resulted in 2,146 complaints.
Aggravating factors
  • TRL knew or ought reasonably to have known that there was a risk that these contraventions would occur.
  • The Commissioner was not provided with formal contracts or other evidence of due diligence being carried out and she was therefore satisfied that TRL failed to take reasonable steps to ensure that the consents obtained were clear, specific and valid.
  • TRL had no written data protection training procedures in place which, if there had been, may have alerted TRL to the risks of such practices.
Penalty
The Commissioner fined TRL £200,000, reduced by 20% to £160,000 if it paid by 16 January 2019.
Darren Harrison
3 December 2018
Prosecution under DPA 1998, s.55 (unlawfully obtaining personal data)
Fine: £700 (plus £364.08 costs and £35 victim surcharge)
Darren Harrison obtained personal information about schoolchildren from two primary schools at which he had previously worked and uploaded the data onto his former school's servers. Mr Harrison stated that he took the data from the system for professional purposes. The information included names, unique pupil numbers, pupil attainment and progress spreadsheets, along with performance management data for staff.
Mr Harrison admitted to two offences of unlawfully obtaining personal data, in breach of s55 of the Data Protection Act 1998.
Action:
Mr Harrison was fined £700 and ordered to pay costs of £364.08 and a victim surcharge of £35.
Hannah Pepper
28 November 2018
Prosecution under DPA 1998, s.55 (unlawfully obtaining personal data)
Fine:
£350 (plus £643.75 costs and £35 victim surcharge)An administration assistant of a doctor’s surgery was fined for inappropriately accessing patient and staff records.
Hannah Pepper accessed the electronic clinical records of 231 individuals (consisting of records of 228 patients and 3 members of staff) outside of her role as an administration assistant.
Pepper admitted a charge of breaching section 55 of the DPA 1998 by unlawfully obtaining personal data when she appeared at King’s Lynn Magistrates’ Court.
Action:
Pepper was fined £350 for the offence of obtaining personal data, and ordered to pay prosecution costs of £643.75 and a victim surcharge of £35.
Whatsapp Inc.
12 March 2018
DPA 1998– 1st (personal data must be processed fairly and lawfully) and 2nd (personal data must be processed for specific lawful purposes) Principles
Undertaking
On 12 March 2018, WhatsApp Inc, the operator of the WhatsApp Messenger Service, signed an undertaking, issued by the Commissioner, requiring that it does not share personal data with Facebook Inc or other companies associated with Facebook Inc (together "Facebook") until it could do so in compliance with the General Data Protection Regulation, which entered into force on 25 May 2018.
The WhatsApp Messenger Service is a mobile messaging service for smartphones that has end-to-end encryption, and uses the internet to send text messages, documents, images, video and audio messages between users. The Commissioner’s 14 month-long investigation focused on whether WhatsApp was sharing personal data with Facebook, its parent company. The most recent version of WhatsApp's Privacy Policy, prior to the acquisition of WhatsApp by Facebook in 2014, was dated July 2012. This Privacy Policy did not expressly provide for WhatsApp to share any personal data that it held about its users with Facebook.
On 25 August 2016, WhatsApp launched an updated version of its Terms of Service and its Privacy Policy. The updated version of the Privacy Policy indicated that WhatsApp planned to share UK users’ personal data with Facebook for the following purposes:
  • The Service Analysis Purpose (using personal data to help improve the services and offerings of WhatsApp and Facebook),
  • The System Security Purpose (using personal data to fight spam, abuse or infringement activities),
  • The Facebook Product and Advertising Purpose (if an existing user did not elect their choice to opt-out, their data would be shared to improve users’ experience, such as making product suggestions).
The Commissioner determined that WhatsApp’s Privacy Policy envisaged companies in the Facebook family, with which the personal data of WhatsApp users was shared on a controller-to-controller basis for the purposes outlined above, using such data for their own business purposes and, when this sharing occurred, they would therefore become data controllers in respect of such data. The Commissioner was of the view that WhatsApp processes relevant data using equipment in the UK (i.e., smartphones of UK users), and therefore comes within the scope of the DPA 1998.
The Commissioner further determined that, had WhatsApp proceeded to share EU users’ (including UK users’) personal data with the Facebook family of companies on a controller-to-controller basis so that those companies could use such data for the benefit of their own businesses, whether for the Service Analysis Purpose, the System Security Purpose, the Facebook Product and Advertising Purpose, or otherwise, that such sharing would have contravened the DPA 1998’s First and Second Principles.
The Commissioner’s conclusion is based on the following deductions:
  • WhatsApp not identifying a lawful basis of processing for any such sharing of personal data. Hence such sharing would have contravened the DPA 1998’s First Principle.
  • WhatsApp failing to provide adequate fair processing information to users, in relation to any such sharing of personal data. For this reason also, such sharing would have contravened the DPA 1998’s First Principle.
  • In relation to existing users, such sharing would have involved the processing of personal data for a purpose that is incompatible with the purpose for which such data were obtained. This would have contravened the DPA 1998’s Second Principle.
WhatsApp and any company in the Facebook group on a controller-to controller basis, WhatsApp Inc. and WhatsApp Ireland Limited (together "WhatsApp") both gave the following voluntary public commitment:
  • WhatsApp will not transfer any WhatsApp EU user data (including for UK users) to any other Facebook company on a controller-to-controller basis, for any purpose, prior to the GDPR coming into force on 25 May 2018;
  • WhatsApp will only commence the sharing of WhatsApp EU user data (including for UK users) with any other Facebook company for safety and security purposes, or any other purposes, on a controller-to-controller basis after the GDPR comes into effect, and in full compliance with the GDPR's requirements, including concerning legal bases and the provision of information to users; and
  • In the event that WhatsApp plans to commence the sharing of WhatsApp EU user data (including for UK users) with Facebook companies on a controller-to-controller basis, for the purposes of using this data to improve Facebook's products and advertising after the GDPR comes into force, it will only do so in accordance with the requirements of the GDPR, and working with its competent Lead Supervisory Authority under Article 56 of the GDPR.
ICO issues the first fines to organisations that have not paid the data protection fee
All organisations, companies and sole traders that process personal data must pay an annual fee to the Commissioner unless they are exempt. This data protection fee replaces the need to notify or register with the Commissioner that existed under the Data Protection Act 1998.
Organisations across the business, finance and manufacturing sectors are among the first to be fined by the Commissioner for not paying the data protection fee. Since September 2018, more than 900 notices of intent to fine have been issued by the Commissioner and more than 100 penalty notices have been issued in this first round. Once a penalty notice has been issued, organisations have 28 days to pay the fine or risk further legal action.
The fees and fines are:
  • Tier 1 – micro organisations. Maximum turnover of £632,000 or no more than ten members of staff. Fee: £40 Fine: £400
  • Tier 2 – SMEs. Maximum turnover of £36million or no more than 250 members of staff. Fee: £60 Fine: £600
  • Tier 3 – large organisations. Those not meeting the criteria of Tiers 1 or 2. Fee: £2,900. Fine £4,000
A discount of £5 is applied for payments made by direct debit.
A higher fine, up to a maximum of £4,350, may be issued where there are aggravating factors, including failure to co-operate with the Commissioner, the provision of misleading or false information or a previous history of non-compliance.
Money collected funds the Commissioner’s work to uphold information rights, including investigations into data breaches and complaints, its advice line and the production of guidance and resources for organisations to assist in them to understand and comply with their data protection obligations.
ICO issues the first fines to organisations that have not paid the data protection fee
All organisations, companies and sole traders that process personal data must pay an annual fee to the Commissioner unless they are exempt. This data protection fee replaces the need to notify or register with the Commissioner that existed under the Data Protection Act 1998.
Organisations across the business, finance and manufacturing sectors are among the first to be fined by the Commissioner for not paying the data protection fee. Since September 2018, more than 900 notices of intent to fine have been issued by the Commissioner and more than 100 penalty notices have been issued in this first round. Once a penalty notice has been issued, organisations have 28 days to pay the fine or risk further legal action.
The fees and fines are:
  • Tier 1 – micro organisations. Maximum turnover of £632,000 or no more than ten members of staff. Fee: £40 Fine: £400
  • Tier 2 – SMEs. Maximum turnover of £36million or no more than 250 members of staff. Fee: £60 Fine: £600
  • Tier 3 – large organisations. Those not meeting the criteria of Tiers 1 or 2. Fee: £2,900. Fine £4,000
A discount of £5 is applied for payments made by direct debit.
A higher fine, up to a maximum of £4,350, may be issued where there are aggravating factors, including failure to co-operate with the Commissioner, the provision of misleading or false information or a previous history of non-compliance.
Money collected funds the Commissioner’s work to uphold information rights, including investigations into data breaches and complaints, its advice line and the production of guidance and resources for organisations to assist in them to understand and comply with their data protection obligations.
ICO issues the first fines to organisations that have not paid the data protection fee
All organisations, companies and sole traders that process personal data must pay an annual fee to the Commissioner unless they are exempt. This data protection fee replaces the need to notify or register with the Commissioner that existed under the Data Protection Act 1998.
Organisations across the business, finance and manufacturing sectors are among the first to be fined by the Commissioner for not paying the data protection fee. Since September 2018, more than 900 notices of intent to fine have been issued by the Commissioner and more than 100 penalty notices have been issued in this first round. Once a penalty notice has been issued, organisations have 28 days to pay the fine or risk further legal action.
The fees and fines are:
  • Tier 1 – micro organisations. Maximum turnover of £632,000 or no more than ten members of staff. Fee: £40 Fine: £400
  • Tier 2 – SMEs. Maximum turnover of £36million or no more than 250 members of staff. Fee: £60 Fine: £600
  • Tier 3 – large organisations. Those not meeting the criteria of Tiers 1 or 2. Fee: £2,900. Fine £4,000
A discount of £5 is applied for payments made by direct debit.
A higher fine, up to a maximum of £4,350, may be issued where there are aggravating factors, including failure to co-operate with the Commissioner, the provision of misleading or false information or a previous history of non-compliance.
Money collected funds the Commissioner’s work to uphold information rights, including investigations into data breaches and complaints, its advice line and the production of guidance and resources for organisations to assist in them to understand and comply with their data protection obligations.
The Energy Saving Centre Ltd
16 April 2018
Breach of PECR – Regulation 21 (unsolicited telephone calls)
Monetary Penalty Notice: £250,000
Factual background
The Energy Saving Centre (“ESC”) offered a range of home improvement services, including replacement windows, doors, energy saving glass, and guttering.
Between 21 June 2016 and 30 January 2017, 377 complaints were received in respect of unsolicited calls from ESC. In addition, the Commissioner’s online reporting tool showed that a further 148 complaints had been received in the same period from individuals who were registered with the TPS but had received unsolicited direct marketing calls from ESC.
Since the initial period of the ICO’s investigation (namely, since 1 February 2017), a further 613 complaints had been made regarding unsolicited calls from ESC, which brought the total number of complaints between 21 June 2016 and 30 September 2017 to 1,138.
ICO finding
The ICO found that ESC had used a public telecommunications service for the purpose of making 1,138 unsolicited calls for direct marketing purposes to subscribers and did not have prior consent to do so (regulation 21 of PECR).
The ICO did not consider that the contravention was deliberate, but also found that ESC had failed to take reasonable steps to prevent the contravention.
Harm
The Commissioner was satisfied that the contravention of regulation 21 of PECR was serious, due to the fact that there were multiple breaches of Regulation 21 by ESC's activities over a 15 month period, and this led to a significant number of complaints about unsolicited direct marketing calls to the TPS and the ICO.
In addition, it was reasonable to suppose that the contravention could have been far higher because those who went to the trouble to complain represented only a proportion of those who actually received calls. ESC made 7,191,958 marketing calls between 21 June 2016 and 30 January 2017 and these calls were not screened against the TPS register, nor were there sufficient contractual terms in place to ensure the data's veracity upon purchase. Based upon the 42,499 calls which were made on 5 December 2016 alone, 78.7 per cent were registered with the TPS for more than 28 days.
Aggravating factors
  • ESC failed to disclose all of the calling line identifications (“CLIs”) it used, and there was a general lack of engagement during the Commissioner’s investigation.
  • During the course of the investigation, British Telecom provided a list of CLIs dialed by ESC on one particular day, 5 December 2016. Of the 42,499 separate and distinct CLIs, 33,626 (79.1%) were registered with the TPS, of which 33,432 (78.7%) had registered on, or before, one month prior to the commencement of the Commissioner's enquiry. This suggests little or no regard for the PECR regulations or TPS registration.
  • ESC continued to make live marketing calls, despite being aware of the ICO investigation and the reason for it. Since 1 February 2017 to the end of January 2018 a further 776 complaints were made to the TPS and to the Commissioner's Online Reporting Tool about unsolicited calls by ESC.
Penalty
The Commissioner fined ESC £250,000, reduced by 20% to £200,000 if ESC paid by 15 May 2018.

"As well as looking at how to improve their levels of legal compliance, I would encourage organisations to focus on how good approaches to the handling of personal data can help them to deliver on their business purpose, to help and sustain the creation of long term value and trust."

Stewart Room, PwC Partner

Global summary

Our 2017 global summary provides a synopsis of key privacy issues and trends in 34 countries - 17 in Europe and 17 in the rest of the world. 

The 2018 version will be released shortly.

Click here to explore the 2017 global data

Share
​​
Stewart Room

Stewart Room

Partner, PwC United Kingdom

Tel: +44 (0)7711 588 978

Contact